Q: What happened?
A: On June 29, 2024, we learned that your personal information in your Roll20.net account may have been exposed when a bad actor gained access to our administrative website account. The bad actor modified one user account, and we promptly reversed those modifications. During this time, the bad actor was able to access and view all user accounts.
Q: When did the event occur?
A: We realized our network had been compromised at approximately 6:30 P.M. Pacific Standard time on June 29. By 7:30 P.M., we had blocked all unauthorized access and ended the network Breach.
Q: What kind of information was exposed in this event?
A: The bad actor had access to administrative account website controls during the breach. This allowed the bad actor to access, view, and modify user accounts, and it is possible that the bad actor may have been able to view Roll20 users’ personally identifiable information, including:
- The user’s first and last name;
- The user’s e-mail address;
- The user’s last known IP address; and
- The last four digits of the user’s credit card, if the user maintained a stored payment method in their Roll20 account.
Notably, your password was not exposed (because we only store a salted, bcrypt hash of your password), nor was payment information such as your full card number (we do not store that information on our servers, it is stored with our payment processors).
Q: What is Roll20 doing in response to the event?
A: State laws require that we notify you in writing and we want you to be aware of this incident because some of your personal information may have been taken. We’re committed to protecting your privacy and personal information. While we have no reason to believe that your personal information has been misused, we are notifying you so that you have the information and tools necessary to help detect and prevent any misuse of your personal information.
Q: What is Roll20 doing to prevent similar events from happening in the future?
A: Roll20 has examined and analyzed existing procedures and systems, and, in response to that analysis, is now implementing an action plan which will:
- Further restrict access to the administrative accounts to prevent unauthorized account access;
- Further restrict the data that an administrative user can access; and
- Add enhanced security measures as needed to prevent this incident from happening again.
Q: I want to speak to Roll20 directly about what happened?
A: If you have any questions about the above, or if you’d like to view a copy of your account data that the actor may have had access to, please reach out to us at any time via https://help.roll20.net with the subject line “Incident Data Request” and we will be happy to assist you.