Popular virtual tabletop service Roll20 has experienced a serious security breach, according to an email the company sent out to users. The email, written on July 2, warned users that their personal data may have been exposed, including “first and last name, email address, last known IP address, and the last four digits” of credit cards. However, the breach didn’t expose passwords or full financial information, so that’s good.
The company discovered “unauthorized access” to an administrative account last week. It immediately blocked the impacted account, but this particular account had access to the aforementioned personal information. Roll20 doesn’t know if anyone actually used this breach to scoop up data, saying it has “no reason to believe that your personal information has been misused” and that it’s notifying users “out of an abundance of caution.”
Engadget reached out to the company for more information regarding the timeline and the potential impact. We’ll update this post when we hear more. “We truly regret that this incident occurred on our watch,” Roll20 founder Riley Dutton told Wargamer.
It’s worth noting that users have been asking the company to implement two-factor authentication (2FA) for years, to no avail. It experienced a similar data breach in 2018 that impacted four million users. It’s probably time for Roll20 to bump its charisma stats and approach a 2FA service provider, for the good of the realms.