11 votes

Roll20 Blog - Conclusion of 2018 Data Breach Investigation

5 comments

  1. [4]
    vakieh Link
    This blog post is really confusing. They announce that it was priced much lower than other data sets, then had to wait for other sources before they suggested it was likely to have been purchased...

    This blog post is really confusing. They announce that it was priced much lower than other data sets, then had to wait for other sources before they suggested it was likely to have been purchased by bad actors. 1) It was already HELD by a bad actor in the first place, and 2) if it was that cheap no shit it's been purchased.

    The data was

    name, email address, last four of credit card, most recent IP address, and hashed & salted password

    Which is not that bad tbh, so long as their implementation of hashing and salting is up to snuff. But their complete lack of transparency regarding the nature of the breach

    The investigation identified several possible vectors of attack that have since been remedied.

    aka "our practices were so bad we have no fucking clue how we were breached". If they have closed a vector, why not disclose what it was? Of course the answer is nobody wants to admit to having u:admin p:password credentials out there, or having everyone and their dog messaging around the same SSH key, but even big corporations have the balls to admit it after they're caught.

    6 votes
    1. [3]
      aphoenix Link Parent
      I don't think this is a really fair breakdown and I'm not sure why you find it confusing. The one who sells the data is often not considered to be the same as the people who purchase and...

      I don't think this is a really fair breakdown and I'm not sure why you find it confusing.

      They announce that it was priced much lower than other data sets, then had to wait for other sources before they suggested it was likely to have been purchased by bad actors.

      1. It was already HELD by a bad actor in the first place

      The one who sells the data is often not considered to be the same as the people who purchase and maliciously use the data. While one could consider the person who procured data from the breach to be a "bad actor" that individual or group is not particularly likely to use that data to some advantage, but the purchaser is, so what they are saying is "this data was breached and this data was purchased and someone is likely going to try to use this data".

      "our practices were so bad we have no fucking clue how we were breached"

      Having made a statement similar to this in the past (though not on this scale) I would guess that they have a pretty good guess about what the problem was, and in the course of figuring that out found some other things. Not explaining all the things that one has done wrong in infrastructure isn't a bad idea. While it's possible that they had:

      u:admin p:password credentials out there, or having everyone and their dog messaging around the same SSH key

      it's also possible that there was a reasonable attack vector that they had not considered and do not want to publish. There are also a variety of things one does not publish when things like this happen, and it could be any number of them, including things like a malicious former employee taking data which would result in an investigation that you cannot talk about.

      2 votes
      1. [2]
        vakieh Link Parent
        Have you worked in cybersecurity? This is absolutely false - they do both. In any event they needed alerts from others to indicate to them that the data had been bought, rather than the simple...

        that individual or group is not particularly likely to use that data to some advantage

        Have you worked in cybersecurity? This is absolutely false - they do both. In any event they needed alerts from others to indicate to them that the data had been bought, rather than the simple fact that it was for sale.

        If the vector is closed, it can be discussed. If it isn't closed this long after the event, the company should purge their databases as they are not capable of managing them correctly. If the vector was people, say so (there is no such thing as an investigation so sensitive you cannot say "the vector was a person rather than system configuration". Transparency in breach reporting is one of the only ways consumers have to vote with their feet when it comes to companies making shithouse decisions regarding the privacy of those consumers' data. Assuming the worst where that transparency does not occur must be the default position.

        1 vote
        1. aphoenix Link Parent
          Just to be clear, I'm not ignoring this, I'm just not interested in continuing this part of the discussion. The person who wrote the article drew a distinction here, and that's all that happened....

          Have you worked in cybersecurity? This is absolutely false - they do both.

          Just to be clear, I'm not ignoring this, I'm just not interested in continuing this part of the discussion. The person who wrote the article drew a distinction here, and that's all that happened. If you're interested in discussing what people do with breached data, it would be an interesting post on its own, but I don't think it needs to be part of this, and I also don't think it's worthwhile to split hairs to the degree that you were doing.

          In any event they needed alerts from others to indicate to them that the data had been bought, rather than the simple fact that it was for sale.

          They acted immediately as if it had been bought (as they state in the article). They also stated that in addition to this, they have reports that it had been bought. There's no indication that they acted at any point as if the data had not been purchased. This is another time where you are splitting hairs or harping on a particular turn of phrase. It's not really a worthwhile way to spend one's time.

          If the vector is closed, it can be discussed.

          See previous comment re: an instance where I was involved in a breach and literally could not legally discuss the situation. If I have been involved in a case where it has happened, it's not difficult to understand that these situations can exist.

          Transparency in breach reporting is one of the only ways consumers have to vote with their feet

          If you value transparency, then "vote with your feet", which I assume means leaving this service. I strongly encourage you to stop using Roll20 if you feel like transparency with breaches is a key factor for you. For most people, transparency in this doesn't matter, because they won't understand what would be said. I know dozens of people who use Roll20 and not a single one of them care about the transparency level of this report; they care that they identified the issue and have worked to fix it. I'll reiterate though, that if you feel strongly about this, leave the service or ask Jeff to give a more technical account of the data breach. They've really just started their report on this, so it's possible he'd provide one.

          1 vote
  2. Soptik Link
    I asked them if they could tell me how did the attacker get through their system, as I'm compsci student and I'm interested in real life scenarios. After 6(!) days, this came back: (emph. mine). I...

    I asked them if they could tell me how did the attacker get through their system, as I'm compsci student and I'm interested in real life scenarios.

    After 6(!) days, this came back:

    Hello,

    Not a problem, I can help with that. Before we can process your request, we do need to verify your ownership of this Roll20 account. By confirming, you are certifying that you are the owner of the Roll20 account in question and you wish to receive an example of your data stored in the Roll20 Accounts database.

    If this is the email address associated with your Roll20 account, please reply to this email, and include the word "yes" in your response.

    If this email address is not the one associated with your Roll20 Account, please send a request from that email address.

    Thank you!
    Miles

    (emph. mine). I wonder if I'll be able to get to a human.

    2 votes