A new report claims that a Roblox worker had been bribed by a hacker, resulting in a massive data breach that exposed the personal information of over 100 million active monthly users.
The access has granted the hacker the ability to see users' personal information, including their email addresses and passwords. The hacker could also remove two-factor authentication from active accounts and ban users, based on the screenshots provided by the attacker, which were shared with Vice's Motherboard tech team. The screenshots were of Roblox's most high profile users.
The Roblox insider basically gave the hacker full access to millions of access, but they had only limited their actions to several accounts. The breach shows how the platform can be easily infiltrated by hackers who want to make money off users' data, and at the same time, show how children, which make up the audience of the game, are vulnerable to malicious attacks.
In an interview with Motherboard via online chat, the hacker insists that he only wants to prove a point. The incident did little damage but underscores the growing risks of social engineering attacks.
While only a handful of accounts were exposed, it included the accounts of some of the most well-known players in Roblox, like Linkmon99. Linkmon99 is popular in the platform for being one of the richest Roblox players in the world in terms of in-game items.
Apart from viewing user data, the hacker could easily edit user information and reset passwords. For proof, the hacker also shared screenshots of how they did it. Only two accounts were affected by this activity; however, with both users' items also sold. Another screenshot of the attack shows how the hacker was able to disable two-factor authentication settings, which is a crucial security step in protecting one's account.
According to the hacker, they were able to coerce the Roblox worker to look up user data for them, and then proceed to target one customer support representative. A screenshot of what appears to be the conversation between the insider and the hacker was also shared with the Motherboard. The publication notes that the insider's LinkedIn profile lists him as an in-game support contractor for the game.
In an email, a spokesperson for Roblox said its team of experts is already looking into the matter.
"We immediately took action to address the issue and individually notified the very small amount of customers who were impacted," the spokesperson confirmed.