Drive Thru RPG data breach

Sorry if this causes a double post for some but I am putting this on my blog as well as on Facebook. I think it is important enough to warrant that kind of communication.

I got notification this morning, and confirmed it with Drive Thru that they have had a security breach and approximately half of the customer data as been stolen. The breach affected the payment information and account information (not including site passwords) for anyone purchasing items between 7/6/2015 and 8/6/2015.

They are not giving out any more information than that at this time. Personally this is why I shop online only with prepaid gift cards and have ongoing fraud protection. I am going to include below a copy of the letter they sent me, and the information form their Q&A page regarding the breach. Just so anyone who is interested can read up on what they are telling us.

What this letter does not tell anyone is that One Book Shelf is what was breached, not one specific site of the eight they show on their web page. One Book Shelf is the parent behind – RPG Now, Drive Thru RPG, D&D Classics.com, Drive Thru Cards, Drive Thru Fiction, Wargame Vault, and Ulisses Ebooks.de. I know from personal experience that any account information you may have with any of these sites is shared between all of them.

I can say I appreciate them letting me know, I do not think that contacting the FBI and asking what to do next is the appropriate reason for not disclosing to their customers faster that something happened though. The fact that direct notification was not given to anyone who had not shopped on their sites in the last month annoys me as I think other customers would like to know that something happened. However, given the fact that banks, major retail stores and other online sites have taken months to notify anyone, if they ever do, they have positive progress here in my book. All in all, keep shopping online, but do it in a way that makes you feel safe about your information and payment data.

Now gimme the dice, I need to roll up a new password.

***************************Notification Email ***************************

Dear customer,

I regret to inform you that one of our servers suffered a security breach which may have compromised your credit card information.

You are receiving this email because you made a purchase (or attempted to make a purchase) on our site using a credit card between July 6th, 2015 and the morning of August 6th, 2015. There is a 50% chance that hackers were able to collect your credit card information. We recommend that you contact your credit card issuing bank and ask them to replace any cards that you used for charges on our site, and also look over your most recent statements for any suspicious charges.

Our technical team has identified the issue and has secured our servers. Our websites are once again safe to use.

Information such as your name and email address were potentially compromised as well.

Login passwords are stored encrypted with a one-way hash and cannot be decrypted. You do not need to change your account password, but you are more than welcome to do so on your Account page at any time if you wish.

We are truly sorry this incident occurred and sincerely regret the inconvenience it causes you. Navigating credit card company call center menus is no one\’s idea of a good time.

Security has always been our top concern and up until this incident we were proud of our security record at DriveThruRPG.com. We will continue to do everything we can to keep our marketplace secure going forward.

More information on this is available on this page:
http://support.drivethrurpg.com/entries/69850204-Credit-Card-Data-Breach-Q-A

And on the DriveThruRPG Facebook page:
https://www.facebook.com/DriveThruRPG

Thank you for your patience and loyalty.

Best Regards,
Steve Wieck
OneBookShelf

*******************************Web Page Q&A from the link in email********

Credit Card Data Breach Q&A

Jeff Montgomery
posted this on Aug 10, 4:23 PM

Please find below a list of common questions about our security breach with their corresponding answers:

Q: If I made purchases at DriveThruRPG prior to July 10 but did not store my credit card information on your site are there any steps I need to take?

A: No. All Login Passwords are stored encrypted with a one-way hash and cannot be decrypted. You do not need to change your account password but are more than welcome to on your Account page at any time.

 

Q:What should I do if I made a purchase between July 10th, 2015 and the morning of August 6th, 2015?

A: We recommend that you contact your credit card issuing bank and ask them to replace any cards that you used for charges on our site.

 

Q:If I store my credit card information at DriveThruRPG what steps should I take?

A: We suggest you contact your credit card issuing bank and ask them to replace your credit card. We have no evidence that these numbers were compromised. It would not have been easy to un-encrypt the stored numbers, but we cannot rule out the possibility.

 

Q:Do I need to reset my login password?

A: No. Login Passwords are stored encrypted with a one-way hash and cannot be decrypted. You do not need to change your account password but are more than welcome to on your Account page at any time.

 

Q:Is it safe to shop on the site?

A: Yes. Our technical team has identified the issue and secured our servers. Our websites are once again safe to use.

 

Q:What if I used account credit, or a gift card, or checked out using PayPal for payment?

A: Your transaction was not affected. There’s nothing you need to do.

 

Q:What are you doing to ensure our safety in the future?

A: Everything we can. Like all e-commerce sites, we are subjected to intrusion attempts on an ongoing basis. We use a comprehensive set of measures to maintain site security. We are PCI compliant for credit card processing.

In this case a hacker found a crack in our defenses and got in. We have fixed the intrusion point and will continue our ongoing work to keep our site secure against such attacks.

 

Q:Can you give me details of the breach?

A: For security reasons there are elements that we will not discuss. The main things the hacker accomplished were using our server as a platform to launch DDOS attacks on other sites and also swiping credit card information as we processed it from July 10th to the morning of August 6th.

 

Q:Why did you delay contacting customers?
A: We reached out to both the FBI and our credit card payment processor, and were awaiting contact from them so that we could consult with them on the best course of action to take.

Q: How could ​you let all this credit and debit card information get accessed?

A: This unauthorized access is a crime, and we are taking it very seriously. While we can’t provide specifics because the investigation is ongoing, we are working with the Federal Bureau of Investigation on the matter.

 

Q: Should I ​contact you to see if my credit or debit cards were affected?

A: If your card was among those that were potentially affected, then we have already sent you an email about it. If we did not send you an email, then yours was not one of the cards that were potentially affected.​

Q: How do I know if my card information is stored.

A: To check your card information, just navigate to your Account page using the tab at the top of the screen.  Then, in the Account section, click on the link to Update Stored Payment Information.  The next page will display any stored information and you can change or remove your card information using this tool as well.

Q: How can I tell which card number I have saved with you?

A: To check your card information, just navigate to your Account page using the tab at the top of the screen.  Then, in the Account section, click on the link to Update Stored Payment Information.  The next page will display any stored information and you can change or remove your card information using this tool as well.

 

Q: Can you give me more of the nitty-gritty tech details?

A: For passwords, we store as a salted hash, so those cannot feasibly be reversed. The reason we said 50% likelihood of being compromised is because we have two load-balanced webservers, and only one of them was compromised. Unfortunately, it is impossible to tell which webserver you may have been routed to, if you were one of the customers who checked out during the affected period. Credit cards were stored in an encrypted format; however, for us to be able to send them along for future purchases we have to be able to decrypt them, so it is possible that the hackers could have done so as well. However, we have no evidence indicating that the attackers breached our database. We are just being extra cautious in letting you know that it is a possibility. And even if they did, we do not store CVV numbers, so just having the credit card number would be of very limited use to a potential hacker.

Q: What if I have other questions that aren’t covered here?

A: Go to http://support.drivethrurpg.com/requests/new and submit your question there.

***************************************************************************

Advertisements
  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: