RPGNow CC Info Hacked

I was informed last night (by — thanks again) that credit card info stored on the RPGShop/RPGNow database was hacked.

I discovered that my name, address and CC info was among the information stolen, but managed to track down the info, and found that it was over 4 years out of date (thank the gods) — an address where I no longer live, and a debit card that I no longer have, long expired, from a bank that no longer exists. I got lucky.

Apparently, a Brazilian hacker grabbed a file which contained the information of all those who had chosen the “save this data” option during checkout…..although I cannot recall ever doing that myself, but my info was still there.

If you’re concerned, I would recommend that you contact James Mathe at webmaster@rpgshop.com, and give him your name. He’ll tell you if you were on the list, and give you the last 4 digits of the card and the expiration date. That way, you can decide whether you need to take action of your own. Supposedly, they’ve been emailing everyone affected, but there have been reports of people who haven’t yet been contacted (I know that I didn’t get an email until I prompted James about it, so take that as you will).

This is going to seriously fuck with my business.

I’ve already fielded dozens of emails from customers who have told me that they’re not going to purchase from RPGNow/DTRPG again (despite the fact that DTRPG’s servers weren’t affected), and, given that I just signed a contract as an exclusive vendor, that’s a problem.

The fact that OneBookShelf (the new company formed in the merger) hasn’t gotten out ahead of this with a public statement and someone dedicated to Q&A is also pissing me off, as every hour that passes further increases the likelihood that sales in the PDF business are going to be crippled by the chilling effect of lost customer confidence.

10 Replies to “RPGNow CC Info Hacked”

  1. I’ve seen a sales spike elsewhere since the news about RPGNow was released.

    And yes, OBS has seriously dropped the ball on this customer service nightmare. Why doesn’t the front page of RPGNow bring this problem to customers’ attention?

  2. Dude, that’s pretty harsh. But it does underscore a couple of cardinal rules of e-commerce development:

    – any files you put in your web server’s content directories are pretty easy to hack a download of – keep data in a database that is not in the content directories of the web server. Or better yet, have the database on a different server altogether that is behind a firewall (as opposed to the internet-facing web server)

    – sensitive information such as credit card numbers should never be stored in plaintext in a file or database – they should be strongly encrypted just like passwords should be hashed with a salt.

    End soapbox.

  3. Well, Green Ronin is already getting e-mail from angry RPGNow customers, telling us that not only are they never buying anything from OBS again, but *we* have permanently lost them as customers, too. (Apparently we’re at fault because we allowed an online retailer to carry out products.)

    Color me thrilled. No, really, really thrilled.

  4. So good to know that consumers of .pdf products on the web are so bright as to not understand the inherent risks invovled, but to not understand that such risks are a part of the equation in all things online. Are they going to not do any business with any company on the web at all?

    So very sorry to hear that this has happened.


  5. I’m a former IT professional, my wife is a current IT professional. We keep our virus and other software up to date, firewalls, good practice, careful disposing of bills. Everything you can do pretty much to be careful, we do. Our card info was still blagged by some thieving toerags (Russia) somehow and used.

    It doesn’t matter how careful you are, really, on business or customer side ‘shit happens’, it’s a fact of life in the 21st Century as much as spam it seems. Fortunately the banks are getting pretty good with dealing with it and non nonsense re-issuing.

    As to the hysterical customers, I’m confident they’ll come back around in time, it’s just probably the worst time this could happen. Sods law eh?

  6. From the strange way they’re handling this, it makes me wonder if there isn’t an OBS lawyer in the background telling them to say no more than absolutely necessary to minimize the danger of litigation. Not saying it’s right, just that the situation has that ring to it.

  7. From everything I can gather, there was an exploit in RPGNow’s ecommerce software that either hadn’t been patched or no patch was available. And the credit card information was stored in plain text. That’s not “shit happens” that’s “we ain’t done shit to keep it from happening.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.