DrivethruRPG hacked

Best Selling RPGs - Available Now @ DriveThruRPG.com

Black Leaf

And we'll fly away on those angel wings of chrome
Super Moderator
Moderator
Joined
Aug 20, 2017
Messages
5,942
Reaction score
16,210
Do those of us who log in via social media need to worry?
 

Winterblight

Legendary Member
Joined
May 26, 2018
Messages
704
Reaction score
1,381
Heh, my password was due updating anyway. Didn't they get hacked back in 2015?
 

BedrockBrendan

Legendary Member
Joined
May 3, 2017
Messages
1,701
Reaction score
4,371
I didn't get an email notification. Is this confirmed? No mention of it on the site and don't know any others who have received an email from them.
 

Endless Flight

SWO!
Administrator
Moderator
Joined
Apr 24, 2017
Messages
12,362
Reaction score
32,188
I actually tried to get on the site yesterday and it was down.
 

BedrockBrendan

Legendary Member
Joined
May 3, 2017
Messages
1,701
Reaction score
4,371
Drivethru shut the site down because whomever hacked the site changed prices on a lot of products to being free. Here is a screen shot of the announcement they posted on discord:
View attachment 45867

Damn. I would have thought they'd send an email to publishers (I didn't get one that I saw).
 

urbwar

Legendary Member
Joined
Jul 15, 2018
Messages
3,193
Reaction score
4,994
Damn. I would have thought they'd send an email to publishers (I didn't get one that I saw).
They supposedly did to people who had money taken from their publisher account. This thread on Reddit discusses that (though it also mentions customer accounts). Basically, if you didn't get direct contact about it, your account should be fine.

They did disable setting up a new title, editing a listing or managing a bundle though for the time being
 

Neon

Legendary Member
Joined
Oct 24, 2020
Messages
164
Reaction score
457
So..... if I change my password does that mean it's safe again to put through an order?
 

robertsconley

Legendary Member
Joined
May 3, 2018
Messages
4,208
Reaction score
9,159
Likely what happened a hacker figured out how to get to the page where product prices are set by typing in the page's address directly using the product's unique ID as part of the hack. The fix was likely not assuming that you got the page via a valid route and adding a security check on the page itself to see if the user is authorized to edit that product's price. This is consistent with the hack not being a database problem and the fact DriveThruRPG uses PHP.
 

thebigh

Gelatinous noob
Joined
Feb 25, 2022
Messages
345
Reaction score
1,047
Yeah, it would likely have been something along those lines. Maybe not quite that simple, since otherwise they'd have already been hacked that exact same way long ago.
 

urbwar

Legendary Member
Joined
Jul 15, 2018
Messages
3,193
Reaction score
4,994
So..... if I change my password does that mean it's safe again to put through an order?
You don't really need to change it, according them (unless you feel more comfortable changing it). That info was never compromised. The hack allowed them to change pricing on titles, and supposedly take from publisher account funds (if you had any). My publisher account doesn't appear to be touched (as I had money that is still there, and none of my titles were affected at all). My only sales of late have mostly been from a bundle, and I don't see anything from those.
 
Cthulhu Mythos - Available Now @ DriveThruRPG.com
Top