DrivethruRPG hacked

Best Selling RPGs - Available Now @ DriveThruRPG.com

Black Leaf

We're living in a powder keg and giving off sparks
Moderator
Joined
Aug 20, 2017
Messages
5,468
Reaction score
14,648
Do those of us who log in via social media need to worry?
 

Winterblight

Legendary Member
Joined
May 26, 2018
Messages
688
Reaction score
1,336
Heh, my password was due updating anyway. Didn't they get hacked back in 2015?
 

BedrockBrendan

Legendary Member
Joined
May 3, 2017
Messages
1,458
Reaction score
3,736
I didn't get an email notification. Is this confirmed? No mention of it on the site and don't know any others who have received an email from them.
 

Endless Flight

SWO!
Administrator
Moderator
Joined
Apr 24, 2017
Messages
11,930
Reaction score
30,500
I actually tried to get on the site yesterday and it was down.
 

BedrockBrendan

Legendary Member
Joined
May 3, 2017
Messages
1,458
Reaction score
3,736
Drivethru shut the site down because whomever hacked the site changed prices on a lot of products to being free. Here is a screen shot of the announcement they posted on discord:
View attachment 45867

Damn. I would have thought they'd send an email to publishers (I didn't get one that I saw).
 

urbwar

Legendary Member
Joined
Jul 15, 2018
Messages
2,913
Reaction score
4,400
Damn. I would have thought they'd send an email to publishers (I didn't get one that I saw).
They supposedly did to people who had money taken from their publisher account. This thread on Reddit discusses that (though it also mentions customer accounts). Basically, if you didn't get direct contact about it, your account should be fine.

They did disable setting up a new title, editing a listing or managing a bundle though for the time being
 

Neon

Legendary Member
Joined
Oct 24, 2020
Messages
127
Reaction score
357
So..... if I change my password does that mean it's safe again to put through an order?
 

robertsconley

Legendary Member
Joined
May 3, 2018
Messages
3,868
Reaction score
8,159
Likely what happened a hacker figured out how to get to the page where product prices are set by typing in the page's address directly using the product's unique ID as part of the hack. The fix was likely not assuming that you got the page via a valid route and adding a security check on the page itself to see if the user is authorized to edit that product's price. This is consistent with the hack not being a database problem and the fact DriveThruRPG uses PHP.
 

thebigh

Gelatinous noob
Joined
Feb 25, 2022
Messages
222
Reaction score
669
Yeah, it would likely have been something along those lines. Maybe not quite that simple, since otherwise they'd have already been hacked that exact same way long ago.
 

urbwar

Legendary Member
Joined
Jul 15, 2018
Messages
2,913
Reaction score
4,400
So..... if I change my password does that mean it's safe again to put through an order?
You don't really need to change it, according them (unless you feel more comfortable changing it). That info was never compromised. The hack allowed them to change pricing on titles, and supposedly take from publisher account funds (if you had any). My publisher account doesn't appear to be touched (as I had money that is still there, and none of my titles were affected at all). My only sales of late have mostly been from a bundle, and I don't see anything from those.
 
Cthulhu Mythos - Available Now @ DriveThruRPG.com
Top