Implement and require ALL Roll20 staff to use MFA

I just got an email that yet again roll20 has been compromised.  While there's a huge amount of people that have requested MFA for our user accounts, which has been ignored by roll20 who have refused to implement it, the meat of the subject is all staff on roll20 need to be using MFA.  This should be a requirement in 2024 and the foot dragging is ridiculous.  I pay for an account with you guys, but I could self host with Foundry and do better security than roll20.  Foundry may not support MFA for user accounts, but it'd be easy to write up something for fail2ban to prevent brute force logins.  I'm seriously questioning why I'm paying roll20 at this point. As per the email my following personal information has likely been accessed first and last name, email address, last known IP address, and the last 4 digits of your credit card (solely if you had a stored payment with us). None of that is acceptable on any level.

One ADMIN Account was hacked recently, so maybe you saw this? I did not get the mail you are referring to... DrHappyAngry said: I just got an email that yet again roll20 has been compromised.  While there's a huge amount of people that have requested MFA for our user accounts, which has been ignored by roll20 who have refused to implement it, the meat of the subject is all staff on roll20 need to be using MFA.  This should be a requirement in 2024 and the foot dragging is ridiculous.  I pay for an account with you guys, but I could self host with Foundry and do better security than roll20.  Foundry may not support MFA for user accounts, but it'd be easy to write up something for fail2ban to prevent brute force logins.  I'm seriously questioning why I'm paying roll20 at this point. As per the email my following personal information has likely been accessed first and last name, email address, last known IP address, and the last 4 digits of your credit card (solely if you had a stored payment with us). None of that is acceptable on any level.

Yes it was an admin account that got hacked which I'm referring to and just got an email about.  This is easily solvable.  All staff on roll20 should be required to use MFA which will help protect our accounts, even if the individual user isn't using MFA (which you should and needs to be implemented for user accounts as well, but that's been asked repeatedly in other threads) protecting the admin and staff accounts obviously needs to be a much higher priority than roll20 has set it as.  Obviously first they need to implement MFA for roll20 accounts, but it absolutely needs to be a requirement for all roll20 staff to use it. TheMarkus1204 said: One ADMIN Account was hacked recently, so maybe you saw this? I did not get the mail you are referring to... DrHappyAngry said: I just got an email that yet again roll20 has been compromised.  While there's a huge amount of people that have requested MFA for our user accounts, which has been ignored by roll20 who have refused to implement it, the meat of the subject is all staff on roll20 need to be using MFA.  This should be a requirement in 2024 and the foot dragging is ridiculous.  I pay for an account with you guys, but I could self host with Foundry and do better security than roll20.  Foundry may not support MFA for user accounts, but it'd be easy to write up something for fail2ban to prevent brute force logins.  I'm seriously questioning why I'm paying roll20 at this point. As per the email my following personal information has likely been accessed first and last name, email address, last known IP address, and the last 4 digits of your credit card (solely if you had a stored payment with us). None of that is acceptable on any level.

This is the second time R20 has been hacked and once was bad enough. You would think with all the money they make they would actually use some of it to keep their paying customers safe. Something really has to be done about this because this is ridiculous.

I also received the email. I agree that all admin users and staff of a company should be using MFA. In the stage there should be default for anyone dealing with users data. Also all staff should be participating in fishing training and testing.  Hello Roll20 User,   We are writing to tell you about a data security incident that may have exposed some of your personal information. We take the protection and proper use of your information very seriously. For this reason, we are contacting you directly to explain the circumstances of the incident.    On June 29, 2024, at 6:30 P.M. Pacific Time, Roll20 learned that an administrative account was compromised. By 7:30 P.M. Pacific Time, 

Upvote people ^

Lack of MFA is a reason I have NOT become a paying customer, it is sad that in 2024 this platform which so many use still is not secured.

Upvoted. This and user 2FA should be standard security for Roll20.

+1. Maybe after another seven years and another data breach they'll actually do something.

李鐵拐 said: +1. Maybe after another seven years and another data breach they'll actually do something. I remember someone, years ago, joked about waiting until someone from Roll20 staff themselves were hacked, so we could see proper 2FA implemented. Now that it's happened for real...

And this post continues to die in silence

Bumping this so it doesn't go away and continued to be ignored by Roll20 staff, putting all of our accounts, personal & financial information at risk.

Likewise, this would be good at least for the staff, if only for security's sake. Not having this is inviting another data breach and hack.

Hey, pigs have flown! They implemented 2FA late 2024! This thread however is another very important piece of the pie - and while not a traditional request for users to make, it's not all that hard to fulfill. Any Linux system will let you integrate a TOTP style token (e.g. something powered by Google Authenticator) with PAM, at no cost to the company. Administering those tokens in bulk is a bit more of a trick, but with ssh access to the system it is simple enough to script something into place for rapid provisioning, I've done it before. Non-linux systems have commercial solutions at a variety of price points and levels of effort required for integration - there's something for everyone. I have no idea what their backend infrastructure is running, but there should be 2FA to every system in 2026, for users (which is done, yay!) but  especially  for staff. Where I work, we have no choice in the matter, it's 2FA or we close shop, and we're not dealing with the account security of even hundreds of people, we are merely protecting intellectual property and sensitive info. Also, idk how Roll20 integrates with stripe, but from working with other sites who use them, there are plenty who do not retain payment info on their users, opting to just maintain a token of sorts from the transaction. Stripe of course has the info, but then you require two systems to be compromised in order to get at someone's payment data. This approach might bar you from saving your payment info unless stripe offers that as well through their API, which they probably do. Out of scope for this request, but applicable nonetheless as I'd expect things like real name (from payments especially where you don't want to lie), address, cc info, and IP address to be the most sensitive data roll20 holds, and easy to protect this way. I also imagine chat/forum contents and our personally owned IP used in the VTT to be sensitive as well for most users. We obviously have no way of auditing implementation but a good faith reply from Roll20 saying "hey, yes, we heard you, we're doing 2FA across our infrastructure, and nobody can get at any system with user data without it" would be great and imo enough to close this out, assuming they've taken such steps. Be advised that even with 2FA in place, it doesn't stop things like federation between services, or API tokens and such from being used as potential avenues to get at sensitive data, but it does greatly diminish the value of social engineering or an employee just making a mistake.