therpgsite hacked/data breach usernames passwords potentially exposed

Best Selling RPGs - Available Now @ DriveThruRPG.com

xanther

Legendary Pubber
Joined
Jan 6, 2018
Messages
2,450
Reaction score
3,845
Hi All,
Recall that in the early days many of us were also regulars at therpgsite. My security software/service informed me today of a data breach or hack there that exposed usernames and passwords, among other things. Just thought people would like to know.
 
I would strongly encourage anyone that uses the same or similar password they use(d) on The RPG Site to change your password here now. Same applies for anywhere else you use the same or similar password.
 
Did they even announce it or notify users?
 
Thankfully I changed all my pws a year or two ago and haven't logged in there in a dog's age.
 
Yes, but can you? I don't think you can delete your own account.
I haven't figured out how there or at other sites. I'm not certain being banned even takes you out of the database probably the opposite at least with respect to your IP address. I did notice that when went there to change my password they allow you to use an IP address of your choice now....hmmm.

Now one could look at the terms of service, ones local laws on data privacy, the internet, the UDRP and the like and may find out you have a right to have them remove your data...then it is a matter of enforcing.

My guess is sites never remove people because it is not easy for them, and it lowers their total user count which lowers potential revenue and value calculators. Heck even the surge in traffic as people go there to change passwords could be good.
 
Hi All,
Recall that in the early days many of us were also regulars at therpgsite. My security software/service informed me today of a data breach or hack there that exposed usernames and passwords, among other things. Just thought people would like to know.
Oh, and I forgot. Thank you, xanther, for letting us know! :thumbsup:
 
My guess is sites never remove people because it is not easy for them, and it lowers their total user count which lowers potential revenue and value calculators. Heck even the surge in traffic as people go there to change passwords could be good.
A lot of forum software has implemented ways to do this pretty quickly because of the new laws. I handle a forum for my work and I've handled several requests for removal of data since then. The software we have leaves the posts, but removes all identifying markers, scrubs the accounts of IP information/etc and gives the account a generic name like "Removed User ####"
 
You're all overthinking it. If there's no way for you to delete your account, change your current password to an extremely complicated one that you can't possibly remember then logout. Done.
 
You're all overthinking it. If there's no way for you to delete your account, change your current password to an extremely complicated one that you can't possibly remember then logout. Done.
That doesn't actually solve the problem though, that's just logging out with extra steps.
 
A lot of forum software has implemented ways to do this pretty quickly because of the new laws. I handle a forum for my work and I've handled several requests for removal of data since then. The software we have leaves the posts, but removes all identifying markers, scrubs the accounts of IP information/etc and gives the account a generic name like "Removed User ####"
I think if I implemented it I'd give random names to each post every time it loads and every message. Something that lets users know it's a deleted user but something that makes it harder to just map one to one.
 
That doesn't actually solve the problem though, that's just logging out with extra steps.
Solve what problem? Deleting your account? If the TRS admin can't figure out (or refuses to) remove accounts, then the next best thing is to remove as much from your account as possible. This includes giving it a fake email, generating a complicated password, deleting your profile picture, and removing all previous posts. If it's possible to change your username, scramble it.

Your account is still "active" but there's hardly any information left.

I understand this might sound like a lot of work, and the easiest thing is to just delete it, but as unhinged as the Pundit is, I wouldn't rely on him to delete your account.
 
Can you set it to a nonsense e-mail? Doesn't it require that you validate the new e-mail?
 
There are services that will give you an email address which is valid for an hour or less.
Yeah, I didn't know if their site was advanced enough to filter those out. I can't use those as addresses on several sites.
 
Yeah, I didn't know if their site was advanced enough to filter those out. I can't use those as addresses on several sites.
I have a domain name I use that wildcard forwards all email to my primary inbox. Then I have rules to dump to spam all but a few addresses.
 
There's no indication of such. PM me any evidence anyone has.
I'd contact Lifelock. They are the ones that found it and notified me, if you run the site they may help. Here is the dark web alert they sent April 12, 2021, in part:

Description
The site therpgsite.com has been reported in February 2021 to possibly have suffered a data exposure that could include 7,278 records

Exposed Information
my e-mail

Additional Exposed Information
Username, Password, IP Address-32 Bit, Gamertag


You get these when the info appears on the dark web, the info they had found lined up with my e-mail and password at that time, didn't check the other stuff but suspect it was also accurate. Didn't use that password anywhere else, pretty good about that.
 
Banner: The best cosmic horror & Cthulhu Mythos @ DriveThruRPG.com
Back
Top