Implement and require ALL Roll20 staff to use MFA

I just got an email that yet again roll20 has been compromised.  While there's a huge amount of people that have requested MFA for our user accounts, which has been ignored by roll20 who have refused to implement it, the meat of the subject is all staff on roll20 need to be using MFA.  This should be a requirement in 2024 and the foot dragging is ridiculous.  I pay for an account with you guys, but I could self host with Foundry and do better security than roll20.  Foundry may not support MFA for user accounts, but it'd be easy to write up something for fail2ban to prevent brute force logins.  I'm seriously questioning why I'm paying roll20 at this point. As per the email my following personal information has likely been accessed first and last name, email address, last known IP address, and the last 4 digits of your credit card (solely if you had a stored payment with us). None of that is acceptable on any level.

One ADMIN Account was hacked recently, so maybe you saw this? I did not get the mail you are referring to... DrHappyAngry said: I just got an email that yet again roll20 has been compromised.  While there's a huge amount of people that have requested MFA for our user accounts, which has been ignored by roll20 who have refused to implement it, the meat of the subject is all staff on roll20 need to be using MFA.  This should be a requirement in 2024 and the foot dragging is ridiculous.  I pay for an account with you guys, but I could self host with Foundry and do better security than roll20.  Foundry may not support MFA for user accounts, but it'd be easy to write up something for fail2ban to prevent brute force logins.  I'm seriously questioning why I'm paying roll20 at this point. As per the email my following personal information has likely been accessed first and last name, email address, last known IP address, and the last 4 digits of your credit card (solely if you had a stored payment with us). None of that is acceptable on any level.

Yes it was an admin account that got hacked which I'm referring to and just got an email about.  This is easily solvable.  All staff on roll20 should be required to use MFA which will help protect our accounts, even if the individual user isn't using MFA (which you should and needs to be implemented for user accounts as well, but that's been asked repeatedly in other threads) protecting the admin and staff accounts obviously needs to be a much higher priority than roll20 has set it as.  Obviously first they need to implement MFA for roll20 accounts, but it absolutely needs to be a requirement for all roll20 staff to use it. TheMarkus1204 said: One ADMIN Account was hacked recently, so maybe you saw this? I did not get the mail you are referring to... DrHappyAngry said: I just got an email that yet again roll20 has been compromised.  While there's a huge amount of people that have requested MFA for our user accounts, which has been ignored by roll20 who have refused to implement it, the meat of the subject is all staff on roll20 need to be using MFA.  This should be a requirement in 2024 and the foot dragging is ridiculous.  I pay for an account with you guys, but I could self host with Foundry and do better security than roll20.  Foundry may not support MFA for user accounts, but it'd be easy to write up something for fail2ban to prevent brute force logins.  I'm seriously questioning why I'm paying roll20 at this point. As per the email my following personal information has likely been accessed first and last name, email address, last known IP address, and the last 4 digits of your credit card (solely if you had a stored payment with us). None of that is acceptable on any level.

This is the second time R20 has been hacked and once was bad enough. You would think with all the money they make they would actually use some of it to keep their paying customers safe. Something really has to be done about this because this is ridiculous.

I also received the email. I agree that all admin users and staff of a company should be using MFA. In the stage there should be default for anyone dealing with users data. Also all staff should be participating in fishing training and testing.  Hello Roll20 User,   We are writing to tell you about a data security incident that may have exposed some of your personal information. We take the protection and proper use of your information very seriously. For this reason, we are contacting you directly to explain the circumstances of the incident.    On June 29, 2024, at 6:30 P.M. Pacific Time, Roll20 learned that an administrative account was compromised. By 7:30 P.M. Pacific Time, 

Upvote people ^

Lack of MFA is a reason I have NOT become a paying customer, it is sad that in 2024 this platform which so many use still is not secured.

Upvoted. This and user 2FA should be standard security for Roll20.

+1. Maybe after another seven years and another data breach they'll actually do something.

李鐵拐 said: +1. Maybe after another seven years and another data breach they'll actually do something. I remember someone, years ago, joked about waiting until someone from Roll20 staff themselves were hacked, so we could see proper 2FA implemented. Now that it's happened for real...

And this post continues to die in silence

Bumping this so it doesn't go away and continued to be ignored by Roll20 staff, putting all of our accounts, personal & financial information at risk.

Likewise, this would be good at least for the staff, if only for security's sake. Not having this is inviting another data breach and hack.