A previously unknown data breach exposed the personal information of thousands of Roblox developers, exposing them to various forms of identity theft and online fraud.
The incident, which became public knowledge on July 18, 2023, impacted approximately 4,000 accounts of individuals who attended the Roblox Developer Conference between 2017 and 2020.
According to the data breach tracking website haveibeenpwned.com, it occurred on December 18, 2020, and remained within “niche cheating communities within Roblox.”
Data breach exposed Roblox developers’ PII
The Roblox data breach leaked personally identifiable information associated with 3,943 developer accounts. Details leaked include Roblox developers’ names, phone numbers, usernames, IP and email addresses, dates of birth, physical addresses, and T-shirt sizes.
However, the data breach did not expose Roblox developers’ financial information, such as banking information and credit cards, account passwords, or social security numbers.
Still, impacted individuals are at risk of targeted phishing attacks that could eventually expose more sensitive information.
According to Sam Humphries, Head of Security Strategy, EMEA at Exabeam, the Roblox data breach extends beyond the gaming platform.
“Attendees likely included developers, engineers, and security professionals who have access to sensitive data on their companies’ networks,” Humphries said. “The threat actors who conducted the attack were likely not going after Roblox, but the personal accounts and workplaces of those who attended the conference. Rather than attack each organization individually, the adversary probably figured it would be easier to break through Roblox, particularly because this isn’t the company’s first data leak incident.”
Roblox confirms a third-party data breach
On July 20, 2023, the gaming platform addressed the data breach, attributing it to a “third-party security issue” leading to unauthorized access and exposure of “limited personal information” of some Roblox developers.
“We engaged independent experts to support the investigation led by our information security team,” a Roblox spokesperson told PC Gamer. “Those who are impacted will receive an email communicating the next steps we are taking to support them. We will continue to be vigilant in monitoring and vetting the cyber security posture of Roblox and our third-party vendors.”
According to Have I Been Pwned creator Troy Hunt, many impacted Roblox developers only received a “sorry email,” while the more seriously affected were offered a year of identity protection.
Roblox is no stranger to data breaches. In July 2022, the gaming platform suffered an employee data breach that exposed 4GB of data, including unspecified identification documents, email addresses, and spreadsheets about Roblox developers.
In 2020, a hacker told Vice’s Motherboard they bribed a Roblox employee to access information of over 100 million users. The hacker could view users’ email, turn off two-factor authentication, and ban users. Eventually, the attacker reportedly stole in-game items when their bug bounty claim was rejected.
Worryingly, a large percentage of Roblox active users are minors, including the attendees of the Roblox Developer Conference impacted by the data breach.
While the developer program is not intended for minors, screenshots of the leaked data confirm that teen developers aged 16 or below attended the event. According to the company’s Q1 2023 earnings report, 43% of Roblox’s 66 million daily users were minors.
PC Gamer warned that impacted individuals were at risk of various attacks, including harassment. Sources say impacted high-profile Roblox developers have received malicious emails, calls, and texts.
Subsequently, impacted individuals should remain vigilant for phishing attempts, closely monitor their accounts for suspicious activity, enable two-factor authentication, and change their online account passwords out of an abundance of caution.
“Roblox is not alone. Unknown, or “shadow” data has become a concern for 93% of data security and governance professionals today, and is a driving force leading to three-in-four organizations experiencing a cloud data breach over the last year,” said Amit Shaked, CEO and Co-Founder at Laminar. “Shadow data can occur when legacy data isn’t deleted, copied data lives in test environments, data gets misplaced in buckets, or orphaned backups, which might have been what happened for Roblox, are left stale.”