What Happened
In December 2018, specifically around December 26, Roll20, a popular online platform for tabletop role-playing games, suffered a data breach impacting approximately 4 million user accounts, where hackers gained unauthorized access to the “accounts table” and stole sensitive information including email addresses, IP addresses, names, bcrypt password hashes, and the last 4 digits of credit card numbers. The breach was discovered in February 2019 when the stolen data (about 700MB) appeared for sale on a dark web marketplace, prompting Roll20 to hire cybersecurity firm Kroll and a legal team for investigation, which identified and patched several possible attack vectors while updating credentials, communication practices, and code libraries. No full credit card numbers, addresses, or unhashed passwords were exposed, and Roll20 recommended users change passwords and enable two-factor authentication, with the incident later verified and added to breach databases like Mozilla Monitor in July 2019.
