E-mail notices about the data theft

Dear Roll20 team, it would be very helpful if one of you could verify whether or not the ominous e-mail entitled "Important notice regarding your data" was actually sent out by you. This e-mail contains long and weird links not leading to the roll20.net domain, but instead to a completely different place. If this e-mail is authentic (and not a phishing attempt connected to the reported data theft), please explain why it was necessary to use anything but direct and transparent links.

It seems to be a word for word copy of the recently updated&nbsp; <a href="https://app.roll20.net/forum/post/11956700/investigating-compromised-admin-account" rel="nofollow">https://app.roll20.net/forum/post/11956700/investigating-compromised-admin-account</a> post from 3 days ago first mentioning the case, and was edited 17 hours ago with the update. So think the forum post was first updated, and then sending out the email was done some hours later, likely after double &amp; triple-checking the facts before pushing send. The redirect: Hubspot is a tool used by businesses for customer relationship management, social media marketing, content management, and web analytics, so the consumer.ftc.gov/online-security link is likely for checking how many actually check out more info on this. I don't like weird links either, and prefer transparent links as well, and the use of some redirect is to my mind also ill suited to the topic mentioned. Haven't looked at roll20 mail in some while now, so not sure how often they use that kind of redirects in other cases.

Thank your for the information. And my sentiments exactly: Using link redirects under these circumstances is highly questionable -- to say the least.

Furthermore, i didn't get an email at all. Not in spam, not in trash, which is uncleared and far from full. Nothing. A friend had to share this with me. But even if i had, the information provided is hardly adequate. You should be telling people to change their passwords here and anywhere they reuse variations of that password, at minimum. Advising people not to reuse passwords and giving a password safe option or two would be better. Enough data was accessed to allow for decent social engineering, and giving people tools to help mitigate that should be a priority. For, while you say "we have no reason to believe that your personal information has been misused", i would argue you have a very good reason to believe it has been: that someone accessed it maliciously. They weren't doing so to make donations in our names to Save the Puppies and Kittens.

Seems the hacked account was the one they used for Forums and the automated 30 day close notification...

Shine said: Furthermore, i didn't get an email at all. Not in spam, not in trash, which is uncleared and far from full. Nothing. A friend had to share this with me. But even if i had, the information provided is hardly adequate. You should be telling people to change their passwords here and anywhere they reuse variations of that password, at minimum. Advising people not to reuse passwords and giving a password safe option or two would be better. Enough data was accessed to allow for decent social engineering, and giving people tools to help mitigate that should be a priority. For, while you say "we have no reason to believe that your personal information has been misused", i would argue you have a very good reason to believe it has been: that someone accessed it maliciously. They weren't doing so to make donations in our names to Save the Puppies and Kittens. Hi Shine,&nbsp; Regarding not getting an email I would check your spam folder. If you still didn't I would verify that Roll20 has your correct email address. You can do that by going to your Account .&nbsp; As for the data, I am not personally concerned with it as name, email, and IP address are already out in the wild. So many companies have your data already and are selling it it is not really protected information.&nbsp; The last 4 digits of the cc is also not a major concern to me, it is likely to be out there already as it is not considered sensitive information. Example: you go to the store and buy something, take a look at the receipt, the last 4 digits of your cc are there.&nbsp; Regarding passwords, that was not part of the data breach.&nbsp;