As reported by Motherboard, the hacker was able to look up the personal information of over 100 million active monthly users. The perpetrator could see email addresses, change passwords, remove two-factor authentication from accounts, ban users, and even hand out in-game currency.
While they could have accessed information on many of the game’s users, the hacker only looked up a small number of accounts. Speaking to the Motherboard, the person said they “did this only to prove a point to them.”
Roblox, which is available on multiple platforms (download the PC version here), lets people create their own games or play ones made by others. It’s incredibly popular with children and has a massive YouTube community. One of the most high-profile players, YouTuber Linkmon99, had his data accessed by the hacker, who took screenshots of their actions as proof.
The hacker was able to do more than just view data. They changed the passwords for two accounts and sold their items. Another screenshot showed a successful disabling of two-factor authentication on a different account.
As the platform was breached, the hacker attempted to claim a bug bounty from Roblox, but because this was achieved using social engineering and bribery, rather than a vulnerability, the company refused to pay.
Roblox said it has now notified the users that were affected and reported the incident to bug bounty platform HackerOne.
If there’s one thing the incident proves, it’s that the weakest link in a network’s security chain is often its employees.
World news – CA – Hacker accessed Roblox users’ data by bribing employee