The popular online tabletop and role-playing game platform Roll20 announced on Wednesday that it had suffered a data breach, which exposed some users’ personal information.
In a post published on its official website, Roll20 said that on June 29 it had detected that a “bad actor” gained access to an account on the company’s administrative website for one hour, after which the company “blocked all unauthorized access and ended the network breach.”
“The bad actor modified one user account, and we promptly reversed those modifications. During this time, the bad actor was able to access and view all user accounts,” the company wrote.
The hacker, according to Roll20, “may have been able to view” users’ personal information, including full name, email address, last-known IP address, and the last four digits of their credit card, if the user had stored a payment method on their account. The company added that the hacker did not have access to passwords or full payment information like home addresses and full credit card numbers.
Roll20 said it is notifying users of the breach. Several users shared screenshots of the email notification on social media. A TechCrunch reporter also received the same notification.
Roll20 spokesperson Jayme Boucher did not respond to a series of questions from TechCrunch, including how many users in total were affected, how many users had their last four digits of their credit card stolen, how the hacker gained access to the administrative account, and whether the company has any information on who the hacker or hackers were.
Roll20 says on its website that it has 12 million users and that it’s “the No. 1 choice for D&D online.”
“We truly regret that this incident occurred on our watch. Although we have no evidence that any of the data is being misused, and no passwords or card numbers were exposed, we believe in the importance of being transparent with our users about any potential exposure of their personal information,” Boucher told TechCrunch in an email. “We’re still investigating and don’t have further details to share at this time beyond what we shared in our email notification. We prioritized being as transparent as possible as quickly as possible, and that’s why we notified users today.”
In 2019, TechCrunch reported that a hacker had stolen more than 600 million records from 24 websites, including Roll20. The hacker listed 4 million records from the company at the time.