DrivethruRPG hacked

Best Selling RPGs - Available Now @ DriveThruRPG.com
Do those of us who log in via social media need to worry?
 
Heh, my password was due updating anyway. Didn't they get hacked back in 2015?
 
I didn't get an email notification. Is this confirmed? No mention of it on the site and don't know any others who have received an email from them.
 
I actually tried to get on the site yesterday and it was down.
 
Drivethru shut the site down because whomever hacked the site changed prices on a lot of products to being free. Here is a screen shot of the announcement they posted on discord:
View attachment 45867

Damn. I would have thought they'd send an email to publishers (I didn't get one that I saw).
 
Damn. I would have thought they'd send an email to publishers (I didn't get one that I saw).
They supposedly did to people who had money taken from their publisher account. This thread on Reddit discusses that (though it also mentions customer accounts). Basically, if you didn't get direct contact about it, your account should be fine.

They did disable setting up a new title, editing a listing or managing a bundle though for the time being
 
So..... if I change my password does that mean it's safe again to put through an order?
 
Likely what happened a hacker figured out how to get to the page where product prices are set by typing in the page's address directly using the product's unique ID as part of the hack. The fix was likely not assuming that you got the page via a valid route and adding a security check on the page itself to see if the user is authorized to edit that product's price. This is consistent with the hack not being a database problem and the fact DriveThruRPG uses PHP.
 
Yeah, it would likely have been something along those lines. Maybe not quite that simple, since otherwise they'd have already been hacked that exact same way long ago.
 
So..... if I change my password does that mean it's safe again to put through an order?
You don't really need to change it, according them (unless you feel more comfortable changing it). That info was never compromised. The hack allowed them to change pricing on titles, and supposedly take from publisher account funds (if you had any). My publisher account doesn't appear to be touched (as I had money that is still there, and none of my titles were affected at all). My only sales of late have mostly been from a bundle, and I don't see anything from those.
 
Banner: The best cosmic horror & Cthulhu Mythos @ DriveThruRPG.com
Back
Top