Thursday, January 04, 2007

RPGNow and RPGShop credit card data hacked

It was announced tonight on RPG.net that the credit card databases for the online web stores RPGNow and RPGShop were hacked.

Someone posted a message that said they found their credit card data via Google. They posted the link, then removed it. The thread itself was closed by the time I saw it, and then it was deleted entirely.

In its place is this thread, started by someone from RPGNow, stating that "Public warnings are more damaging than helpful right now" and "In asking RPG.net to remove the thread, I'm not trying to stifle outcry, just mitigate damage."

I'm not entirely sure what damage he is mitigating, except perhaps to his company's reputation. This smacks of "security by obscurity".

The site sells roleplaying games and modules in Adobe Acrobat format. I bought a Godlike module from their site about three weeks ago, so I'm understandably concerned about this.

They list on their privacy statement that they only save the data on their servers in an encrypted format. There is, as yet, no information as to how this data was hacked, when it was hacked, or who could be affected. They will be contacting affected users, but there is no way to know what constitutes an affected user...

Needless to say, I'm not happy. I'm monitoring the situation.

No comments: