person looking at computer screen

Roblox breached: Internal documents posted online by unknown attackers

A data compromise situation has impacted Roblox Corporation, the developers of the massive smash-hit video game Roblox. An as-yet unknown attacker has breached an employee account, and is in the process of exposing the data they’ve collected.

Nobody knows if they’ve exhausted their newly-plundered treasure trove, or if more leaks will follow.

Hacks and compromise: from myth to reality

The Roblox player base is young, and naturally enough worried about risks from cheats and account compromise. As a result, Roblox spends a fair amount of time debunking hacking myths. The most well known of these debunks probably relates to its John Doe and Jane Doe developer managed accounts.

Sadly for Roblox, this time around it appears that the compromise is very real with one key difference. It’s the developers under attack, rather than the players. For the time being, at least, they remain unaffected.

Internal employee information: leaked

A Roblox forum post has been playing host to around 4GB of stolen data. This data includes identification documents, spreadsheets related to Roblox creators, and various email addresses. At time of writing, there’s no specifics with regard to the “identification documents”. This could mean driving licence, passport, employee ID scan…we simply don’t know at the moment.

Roblox informed Motherboard that the documents were “illegally obtained as part of an extortion scheme that we refused to cooperate with”.

While there isn’t much information available yet, extortion tactics could suggest a double extortion attempt. The first thing to spring to mind here would be a ransomware attack. If the victim refuses to pay the ransom, the malware authors threaten to leak files. This can be incredibly damaging for all concerned, especially as files are often published even when the ransom is paid.

Of course, the extortion could spring from another source. Motherboard mentions the cache being stolen from an employee. The employee may have been phished. In this scenario, there is no ransomware involvement. Whatever the reason for the attack origin, players will naturally enough be very concerned.

What can you do to keep your Roblox account safe?

We don’t know if data has been grabbed outside of what’s already been leaked. There’s no indication from Roblox that user data has been accessed, which may only be known for certain as the investigation into the attack wraps up.

This is how you can help to keep your own account safe from harm in the meantime:

Watch out for phishing. Phishing attacks often follow on from breaches, although it may take days, or even weeks for an attempt to land in your mailbox. Be wary of mails asking you to login, or claiming that there has been a problem with your account. We suggest navigating to the official Roblox site directly instead of clicking links sent to your email address.

Set up two-step verification. This will help keep your account secure even if you were to hand over your login to a bogus website. Visit your account settings page, and then from the security tab select the type of two-step verification that you’d prefer. Roblox allows for a variety of different authenticator apps for use with your account.

Logout of public and shared devices. Roblox is great to play on the go. However, leaving your account logged in at on a public computer could result in item or account theft. Make sure you’ve fully logged out of any device which doesn’t belong to you. Public device compromise is still a very easy way to lose account access, and one which younger gamers could easily forget about as a potential threat.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.