therpgsite hacked/data breach usernames passwords potentially exposed

Best Selling RPGs - Available Now @ DriveThruRPG.com

xanther

Legendary Member
Joined
Jan 6, 2018
Messages
1,666
Reaction score
2,050
Hi All,
Recall that in the early days many of us were also regulars at therpgsite. My security software/service informed me today of a data breach or hack there that exposed usernames and passwords, among other things. Just thought people would like to know.
 

Apparition

New Generation Grognard
Administrator
Joined
Jul 29, 2017
Messages
2,369
Reaction score
3,780
I would strongly encourage anyone that uses the same or similar password they use(d) on The RPG Site to change your password here now. Same applies for anywhere else you use the same or similar password.
 

chuckdee

Legendary Member
Joined
Feb 9, 2020
Messages
2,004
Reaction score
3,496
Did they even announce it or notify users?
 

Voros

Doomed Investigator
Joined
Sep 23, 2017
Messages
11,022
Reaction score
19,730
Thankfully I changed all my pws a year or two ago and haven't logged in there in a dog's age.
 

xanther

Legendary Member
Joined
Jan 6, 2018
Messages
1,666
Reaction score
2,050
Yes, but can you? I don't think you can delete your own account.
I haven't figured out how there or at other sites. I'm not certain being banned even takes you out of the database probably the opposite at least with respect to your IP address. I did notice that when went there to change my password they allow you to use an IP address of your choice now....hmmm.

Now one could look at the terms of service, ones local laws on data privacy, the internet, the UDRP and the like and may find out you have a right to have them remove your data...then it is a matter of enforcing.

My guess is sites never remove people because it is not easy for them, and it lowers their total user count which lowers potential revenue and value calculators. Heck even the surge in traffic as people go there to change passwords could be good.
 

Supervisor194

Legendary Member
Joined
Sep 16, 2017
Messages
422
Reaction score
681
Hi All,
Recall that in the early days many of us were also regulars at therpgsite. My security software/service informed me today of a data breach or hack there that exposed usernames and passwords, among other things. Just thought people would like to know.
Oh, and I forgot. Thank you, xanther, for letting us know! :thumbsup:
 

EmperorNorton

Legendary Member
Joined
Jun 3, 2018
Messages
3,448
Reaction score
8,079
My guess is sites never remove people because it is not easy for them, and it lowers their total user count which lowers potential revenue and value calculators. Heck even the surge in traffic as people go there to change passwords could be good.
A lot of forum software has implemented ways to do this pretty quickly because of the new laws. I handle a forum for my work and I've handled several requests for removal of data since then. The software we have leaves the posts, but removes all identifying markers, scrubs the accounts of IP information/etc and gives the account a generic name like "Removed User ####"
 

Nemesis

Well-Known Member
Joined
Nov 11, 2020
Messages
177
Reaction score
242
You're all overthinking it. If there's no way for you to delete your account, change your current password to an extremely complicated one that you can't possibly remember then logout. Done.
 

Ladybird

TRAHR
Joined
Aug 13, 2017
Messages
3,484
Reaction score
8,461
You're all overthinking it. If there's no way for you to delete your account, change your current password to an extremely complicated one that you can't possibly remember then logout. Done.
That doesn't actually solve the problem though, that's just logging out with extra steps.
 

Bunch

E-Rocker is a goose.
Joined
Aug 16, 2017
Messages
10,348
Reaction score
18,050
A lot of forum software has implemented ways to do this pretty quickly because of the new laws. I handle a forum for my work and I've handled several requests for removal of data since then. The software we have leaves the posts, but removes all identifying markers, scrubs the accounts of IP information/etc and gives the account a generic name like "Removed User ####"
I think if I implemented it I'd give random names to each post every time it loads and every message. Something that lets users know it's a deleted user but something that makes it harder to just map one to one.
 

Nemesis

Well-Known Member
Joined
Nov 11, 2020
Messages
177
Reaction score
242
That doesn't actually solve the problem though, that's just logging out with extra steps.
Solve what problem? Deleting your account? If the TRS admin can't figure out (or refuses to) remove accounts, then the next best thing is to remove as much from your account as possible. This includes giving it a fake email, generating a complicated password, deleting your profile picture, and removing all previous posts. If it's possible to change your username, scramble it.

Your account is still "active" but there's hardly any information left.

I understand this might sound like a lot of work, and the easiest thing is to just delete it, but as unhinged as the Pundit is, I wouldn't rely on him to delete your account.
 

chuckdee

Legendary Member
Joined
Feb 9, 2020
Messages
2,004
Reaction score
3,496
Can you set it to a nonsense e-mail? Doesn't it require that you validate the new e-mail?
 

chuckdee

Legendary Member
Joined
Feb 9, 2020
Messages
2,004
Reaction score
3,496
There are services that will give you an email address which is valid for an hour or less.
Yeah, I didn't know if their site was advanced enough to filter those out. I can't use those as addresses on several sites.
 

Bunch

E-Rocker is a goose.
Joined
Aug 16, 2017
Messages
10,348
Reaction score
18,050
Yeah, I didn't know if their site was advanced enough to filter those out. I can't use those as addresses on several sites.
I have a domain name I use that wildcard forwards all email to my primary inbox. Then I have rules to dump to spam all but a few addresses.
 

xanther

Legendary Member
Joined
Jan 6, 2018
Messages
1,666
Reaction score
2,050
There's no indication of such. PM me any evidence anyone has.
I'd contact Lifelock. They are the ones that found it and notified me, if you run the site they may help. Here is the dark web alert they sent April 12, 2021, in part:

Description
The site therpgsite.com has been reported in February 2021 to possibly have suffered a data exposure that could include 7,278 records

Exposed Information
my e-mail

Additional Exposed Information
Username, Password, IP Address-32 Bit, Gamertag


You get these when the info appears on the dark web, the info they had found lined up with my e-mail and password at that time, didn't check the other stuff but suspect it was also accurate. Didn't use that password anywhere else, pretty good about that.
 
Cthulhu Mythos - Available Now @ DriveThruRPG.com
Top