11 votes

Roll20 Blog - Conclusion of 2018 Data Breach Investigation

6 comments

  1. [4]
    vakieh
    Link
    This blog post is really confusing. They announce that it was priced much lower than other data sets, then had to wait for other sources before they suggested it was likely to have been purchased...

    This blog post is really confusing. They announce that it was priced much lower than other data sets, then had to wait for other sources before they suggested it was likely to have been purchased by bad actors. 1) It was already HELD by a bad actor in the first place, and 2) if it was that cheap no shit it's been purchased.

    The data was

    name, email address, last four of credit card, most recent IP address, and hashed & salted password

    Which is not that bad tbh, so long as their implementation of hashing and salting is up to snuff. But their complete lack of transparency regarding the nature of the breach

    The investigation identified several possible vectors of attack that have since been remedied.

    aka "our practices were so bad we have no fucking clue how we were breached". If they have closed a vector, why not disclose what it was? Of course the answer is nobody wants to admit to having u:admin p:password credentials out there, or having everyone and their dog messaging around the same SSH key, but even big corporations have the balls to admit it after they're caught.

    6 votes
    1. [3]
      aphoenix
      Link Parent
      I don't think this is a really fair breakdown and I'm not sure why you find it confusing. The one who sells the data is often not considered to be the same as the people who purchase and...

      I don't think this is a really fair breakdown and I'm not sure why you find it confusing.

      They announce that it was priced much lower than other data sets, then had to wait for other sources before they suggested it was likely to have been purchased by bad actors.

      1. It was already HELD by a bad actor in the first place

      The one who sells the data is often not considered to be the same as the people who purchase and maliciously use the data. While one could consider the person who procured data from the breach to be a "bad actor" that individual or group is not particularly likely to use that data to some advantage, but the purchaser is, so what they are saying is "this data was breached and this data was purchased and someone is likely going to try to use this data".

      "our practices were so bad we have no fucking clue how we were breached"

      Having made a statement similar to this in the past (though not on this scale) I would guess that they have a pretty good guess about what the problem was, and in the course of figuring that out found some other things. Not explaining all the things that one has done wrong in infrastructure isn't a bad idea. While it's possible that they had:

      u:admin p:password credentials out there, or having everyone and their dog messaging around the same SSH key

      it's also possible that there was a reasonable attack vector that they had not considered and do not want to publish. There are also a variety of things one does not publish when things like this happen, and it could be any number of them, including things like a malicious former employee taking data which would result in an investigation that you cannot talk about.

      2 votes
      1. [2]
        vakieh
        Link Parent
        Have you worked in cybersecurity? This is absolutely false - they do both. In any event they needed alerts from others to indicate to them that the data had been bought, rather than the simple...

        that individual or group is not particularly likely to use that data to some advantage

        Have you worked in cybersecurity? This is absolutely false - they do both. In any event they needed alerts from others to indicate to them that the data had been bought, rather than the simple fact that it was for sale.

        If the vector is closed, it can be discussed. If it isn't closed this long after the event, the company should purge their databases as they are not capable of managing them correctly. If the vector was people, say so (there is no such thing as an investigation so sensitive you cannot say "the vector was a person rather than system configuration". Transparency in breach reporting is one of the only ways consumers have to vote with their feet when it comes to companies making shithouse decisions regarding the privacy of those consumers' data. Assuming the worst where that transparency does not occur must be the default position.

        2 votes
        1. aphoenix
          Link Parent
          Just to be clear, I'm not ignoring this, I'm just not interested in continuing this part of the discussion. The person who wrote the article drew a distinction here, and that's all that happened....

          Have you worked in cybersecurity? This is absolutely false - they do both.

          Just to be clear, I'm not ignoring this, I'm just not interested in continuing this part of the discussion. The person who wrote the article drew a distinction here, and that's all that happened. If you're interested in discussing what people do with breached data, it would be an interesting post on its own, but I don't think it needs to be part of this, and I also don't think it's worthwhile to split hairs to the degree that you were doing.

          In any event they needed alerts from others to indicate to them that the data had been bought, rather than the simple fact that it was for sale.

          They acted immediately as if it had been bought (as they state in the article). They also stated that in addition to this, they have reports that it had been bought. There's no indication that they acted at any point as if the data had not been purchased. This is another time where you are splitting hairs or harping on a particular turn of phrase. It's not really a worthwhile way to spend one's time.

          If the vector is closed, it can be discussed.

          See previous comment re: an instance where I was involved in a breach and literally could not legally discuss the situation. If I have been involved in a case where it has happened, it's not difficult to understand that these situations can exist.

          Transparency in breach reporting is one of the only ways consumers have to vote with their feet

          If you value transparency, then "vote with your feet", which I assume means leaving this service. I strongly encourage you to stop using Roll20 if you feel like transparency with breaches is a key factor for you. For most people, transparency in this doesn't matter, because they won't understand what would be said. I know dozens of people who use Roll20 and not a single one of them care about the transparency level of this report; they care that they identified the issue and have worked to fix it. I'll reiterate though, that if you feel strongly about this, leave the service or ask Jeff to give a more technical account of the data breach. They've really just started their report on this, so it's possible he'd provide one.

          3 votes
  2. [2]
    Soptik
    Link
    I asked them if they could tell me how did the attacker get through their system, as I'm compsci student and I'm interested in real life scenarios. After 6(!) days, this came back: (emph. mine). I...

    I asked them if they could tell me how did the attacker get through their system, as I'm compsci student and I'm interested in real life scenarios.

    After 6(!) days, this came back:

    Hello,

    Not a problem, I can help with that. Before we can process your request, we do need to verify your ownership of this Roll20 account. By confirming, you are certifying that you are the owner of the Roll20 account in question and you wish to receive an example of your data stored in the Roll20 Accounts database.

    If this is the email address associated with your Roll20 account, please reply to this email, and include the word "yes" in your response.

    If this email address is not the one associated with your Roll20 Account, please send a request from that email address.

    Thank you!
    Miles

    (emph. mine). I wonder if I'll be able to get to a human.

    3 votes
    1. Soptik
      (edited )
      Link Parent
      After hell a lot time, I got an email. I asked them if they could disclose at least a type of vulnerability. I got this: (Note: I redacted some records for privacy reasons.) Maybe they'll let me...

      After hell a lot time, I got an email. I asked them if they could disclose at least a type of vulnerability. I got this:
      (Note: I redacted some records for privacy reasons.)

      Hello,
      Thank you for your patience in this matter. Our data protection officer has forwarded your information to you via a separate email. The email should arrive in your inbox within 24 hours. If you have not received this email please let us know and we can continue to assist further.
      Regards,
      The Roll20 Team

      Hi <FirstName>,
      Per your request and verification, the following is the data we currently have associated with your account in our database. If you have logged in or used Roll20 since December 2018, these specific values will differ from the data at the time of the breach, though the data structure is the same.
      First Name: <FirstName>
      Last Name:
      Account ID: 3480747
      Email: <Email>
      BCrypt Password Hash: $2a$10$V/gw4tXgoKf4bAUynuLh5ueQbtxq(...)
      Last Logged in IP: 217.(...).(...).(...)
      Time Played: 6280
      Last 4 digits of most recent card on file: [null]
      Internal User Role Designation: subscriber
      Tips enabled: true
      Image Web Search Default: true
      User Quota: 100
      Current Used Quota (deprecated, unused): 0
      Quota Device Count: 2
      Nickname: <Nickname>
      Creation Time: 1529091625
      Stripe Customer ID: [null]
      Stripe Test Customer ID: [null]
      Paypal Customer ID: [null]
      Single Use Confirm Code: [null]
      Single Use Password Reset Code: [null]
      Google+ ID (deprecated, unused): [null]
      Last Login Time: 1567794293
      Last Time Seen in Game: 1567805820
      Last Consecutive Time Start: 1567794282
      Roll Server Count: 233
      Marketplace Upload Flag: [null]
      User Avatar:
      Language: en
      Agreed to CoC: [null]
      Banned Until: N/A
      Internal Firebase Data - Ping: 300
      Internal Firebase Data - Num: 20
      Internal Firebase Data - Camp: 3404151
      Last Session: <redacted for security> (Note: This one was redacted by them)
      Translator:
      User Tags:
      User Bio:
      Games you play (selected):
      Games you want to play (selected):
      Bio Last Updated: 0
      LFG Flag: [null]
      Achievements: playedwith_5,played_10h,playedwith_10,rolled_100,played_50h,played_100h
      Players Played With: 3388180,3388865,3389052,3472861,3472978,3474950,3475349,3480810,3644412,3712328,3764713,3764805,3797579,3798793,3836647,3836759,4003066,4048042,4141286,3008034,3952395,3297404,4396416,3127157,4525393
      Opt Out Flag: [null]
      Confirmation Flags - Unconfirmed: [null]
      Confirmation Flags - Personal Welcome: [null]
      Confirmation Flags - iPad Editing: [null]
      Hidden Tutorials: startvideo
      Forum All Viewed: 0
      Email Notification Setting: 1
      Captcha Flag: [null]
      Previous Nicknames: .
      Last Notification: 1553372757
      Thank you for your patience and understanding through this process. Please let me know if you have any additional questions.
      Jeffrey Lamb
      Data Protection Officer, Roll20

      Maybe they'll let me ask a human now.

      2 votes