In an article posted on TechCrunch February 14, the tech site revealed a potential 127 million compromised accounts. Following the announcement of 617 million other breached accounts, an individual compromised most of the accounts during 2018. This brings the total number of websites hit by this wave of hacker activity to 24. Though accounts had information stolen months ago, identifying data for these accounts went on sale just this week.
One hacker, refusing to reveal their identity, is claiming responsibility for the leaks. The Register reports they believe the person responsible is located outside the United States. At least one person has purchased credentials through the dark web, according to the seller.
In an attempt to reassure Roll20 users, the online virtual tabletop posted a tweet and an entry in their blog.
We work hard to ensure data breaches don’t happen, and we always plan ahead for worst-case scenarios. That’s why we maintain strict limits on the amount of personal information available for exposure in such a breach.
We are examining a report in regards to a possible security breach.
Roll20 only maintains users’ name, email address, hashed password, last login IP and time of login, and the last 4 digits of users’ credit card.
— Roll20® (@roll20app) February 15, 2019
At the time of writing, Stronghold Kingdoms’ London-based developer and publisher, Firefly Studios, has not commented. The hacking has inspired a lot of speculation. Ariel Ainhoren, research team leader at Israeli company IntSights, has a theory about what he thinks happened.
“We’re still analyzing it, but it could have been that he used some kind of vulnerability that surfaced around that time and wasn’t patched by these companies or a totally new unknown vulnerability. As most of these sites were not known breaches, it seems we’re dealing here with a hacker that did the hacks by himself, and not just someone who obtained it from somewhere else and now just resold it.”
Altogether, the security breaches have impacted an estimated 847 million accounts so far. This story is still developing.
Firefly Studios released a statement on the topic saying:
We have investigated the reported data breach. The security flaw that allowed the hack has already previously been removed as part of our ongoing security.
We purposefully do not ask for or store any sensitive or financial information relating to player accounts. The player information that was stolen includes player usernames, email addresses & hashed passwords which are encrypted using latest industry standard techniques that do not allow even us to view them.
We can only apologise for having allowed the hack to happen, but please be assured that we will use this event to redouble our efforts to protect your online security.
This only emphasizes the importance of good cybersecurity practices. You can find a basic list of good policies here, courtesy of Berkeley.