The email, written on July 2, warned users that their personal data may have been exposed, including “first and last name, email address, last known IP address, and the last four digits” of credit cards. However, the breach didn’t expose passwords or full financial information, so that’s good.
The company discovered “unauthorized access” to an administrative account last week. It immediately blocked the impacted account, but this particular account had access to the aforementioned personal information. Roll20 doesn’t know if anyone actually used this breach to scoop up data, saying it has “no reason to believe that your personal information has been misused” and that it’s notifying users “out of an abundance of caution.”
It’s worth noting that users have been asking the company to implement two-factor authentication (2FA) for years, to no avail. It experienced a similar data breach in 2018 that impacted four million users. It’s probably time for Roll20 to bump its charisma stats and approach a 2FA service provider, for the good of the realms.
