Halloween

Halloween
5% of All Sales go to Support The Tavern

Monday, August 10, 2015

Onebookself Servers Hacked

I just had this forwarded to me:

Subject: Security Notice Affecting DriveThruRPG.com Customers

Dear customer,

I regret to inform you that one of our servers suffered a security breach which may have compromised your credit card information.

You are receiving this email because you made a purchase (or attempted to make a purchase) on our site using a credit card between July 6th, 2015 and the morning of August 6th, 2015. There is a 50% chance that hackers were able to collect your credit card information. We recommend that you contact your credit card issuing bank and ask them to replace any cards that you used for charges on our site, and also look over your most recent statements for any suspicious charges.

Our technical team has identified the issue and has secured our servers. Our websites are once again safe to use.

Information such as your name and email address were potentially compromised as well.

Login passwords are stored encrypted with a one-way hash and cannot be decrypted. You do not need to change your account password, but you are more than welcome to do so on your Account page at any time if you wish.

We are truly sorry this incident occurred and sincerely regret the inconvenience it causes you. Navigating credit card company call center menus is no one\'s idea of a good time.

Security has always been our top concern and up until this incident we were proud of our security record at DriveThruRPG.com. We will continue to do everything we can to keep our marketplace secure going forward.

More information on this is available on this page:
http://support.drivethrurpg.com/entries/69850064-Security-Breach-Q-A

17 comments:

  1. Never let a site store your credit card information.

    ReplyDelete
    Replies
    1. They do not (well, not in the clear): http://support.drivethrurpg.com/entries/69850204-Credit-Card-Data-Breach-Q-A

      That's likely why this only affects a narrow 30 day window of time.

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Hmmm.... I'm a onebookshelf customer and vendor, didn't get any such email.

    ReplyDelete
    Replies
    1. "Those that may be affected are specifically credit cards used or stored on our site between July 6th, 2015 and the morning of August 6th, 2015."

      Also see: http://support.drivethrurpg.com/entries/69850204-Credit-Card-Data-Breach-Q-A

      Delete
  4. I got it, then checked as I just got my new card the other day. My info is in the clear.

    ReplyDelete
  5. I didn't get this message but also haven't used a CC to buy anything through Onebookshelf in about eight years; paypal purchases only.

    ReplyDelete
  6. This happened to them before, a few years back, hence I don't store my card.details with them. But.I didn't get the mail either.

    ReplyDelete
  7. This happened to them before, a few years back, hence I don't store my card.details with them. But.I didn't get the mail either.

    ReplyDelete
  8. Yeah I got the email. Decided to play it safe and cancelled my card.

    ReplyDelete
  9. This is why I only use paypal on their site and any other that will allow it. Also, why I love that they take paypal.

    ReplyDelete
  10. Goddamnit. I used that card once on the site and I use it for all my monthly recurring payments. This is going to take me hours to fix.

    ReplyDelete
  11. Had to replace my card due to fraudulent purchases just a few weeks ago. Wonder if it was related. At least I don't have to worry about changing cards now (as opposed to three weeks ago).

    ReplyDelete
  12. "Login passwords are stored encrypted with a one-way hash and cannot be decrypted." Umm.. While hashes are near impossible to decrypt, as long as the hashing algorithm and the target hash is known, all that needs to happens is to brute-force the hashing algorithm until a match is found...

    ReplyDelete
    Replies
    1. Yeah, I noticed that too. Now, if you are really good about using very strong passwords, that helps a bit, but even so, I'd change any password where I thought hackers might have access to even an encrypted password table.

      Delete