I was wondering why DTRPG was down on the evening of May 20th, 2022. Then I had the following forwarded to me:
Meredith Gerber (She/Her) — Today at 10:27 PM
MAY 2022 SECURITY UPDATE
In the afternoon of May 20th, 2022, we had a security incident on site that we continue to actively investigate. We have no evidence that any customer account data was compromised.
A third party was able to set prices on titles that they were not authorized to modify, and they set the prices of many titles on site to free which led to some customers placing orders for free titles that were not meant to be free. We shut down the site shortly after this began to happen.
@Publisher & @CC Creator:
We are restoring the site to service, however, for the time being, there will be no access to the normal tool pages to enter or edit titles or to manage bundle titles. We continue to investigate these pages for any security issues and will restore them as soon as we can. Files can still be updated with the normal update file tool page.
Publishers may still use the main publisher hub title search to find and make some edits to titles.
In the coming week, we will analyze any titles that were ordered at incorrect prices and make restitution to publishers and creators whose titles were affected.
We will continue to post messages to Discord, publisher hub, and social media as our investigation continues.
Interestingly enough, there was no mention of this incident on the DTRPG Facebook page.
The Tavern is supported by readers like you. The easiest way to support The Tavern is to shop via our affiliate links. DTRPG, Amazon, and Humble Bundle are affiliate programs that support The Tavern.
You can catch the daily Tavern Chat podcast on YouTube - Tenkar
I don't see any notification to me as a publisher, either.
ReplyDeleteApparently this was announced on the OBS Discord Server, which I've never been able to access
DeleteI didn't even know there *was* one.
DeleteI know my memory's worse as I get older, but didn't I get burned by a Drivethru hack once before? And if I did, how do I deal with a company so lax that they don't take sufficient precautions to avoid being hacked again? This isn't how to build customer confidence.
ReplyDeleteWhelp... Time to change my password, no matter what they say.
ReplyDeleteI seem to have recall seeing this exploit on a few titles once before earlier this year. I forget the the titles but I did see a few print POD options listed as free (and not just the PDF). I had assumed it was a momentary display bug and did not partake as I wouldn't want to chance flagging my account. Now if I see it again I know to screencap and report it.
Yet another reason to feel good about never ordering from DTRPG, as if I needed more of them.
ReplyDeleteWow, they didn't even bother to email me about this? My titles are all PWYW anyway so I doubt anyone would've bothered with them but email should be the first line of contact for an incident like this.
ReplyDeleteAlso distressed that I didn't get an email notification.
ReplyDeletePublisher notification was apparently only through the publisher page, where announcements are normally placed. It provided a link to the OBS site where the above information was provided.
ReplyDeleteOh, okay. So at a time the system is compromised, we can only find out by logging in (not advisable with compromised systems) at the same time.
DeleteNot how I would have handled it, but I've only been doing systems operations for a couple decades.