The major gaming platform Roblox has suffered a major data breach, leading to the release of personal information including addresses from those who attended the Roblox Developer Conference between 2017-2020. The leak contains almost 4,000 names, phone numbers, email addresses, dates of birth, and physical addresses. Such identifying information is gold dust for bad actors, and raises serious questions about the data security of one of the largest gaming platforms around.
"Roblox is aware of a third-party security issue where there were indications of unauthorized access to limited personal information of a subset of our creator community," said a Roblox spokesperson via email. "We engaged independent experts to support the investigation led by our information security team. Those who are impacted will receive an email communicating the next steps we are taking to support them. We will continue to be vigilant in monitoring and vetting the cyber security posture of Roblox and our third-party vendors."
Well, doesn't look like Roblox was being especially vigilant here. The website haveibeenpwned says the original breach date was 18 December 2020, with the information becoming available on 18 July 2023, with a total of 3,943 compromised accounts. The site notes that as well as all the above information, the leak even includes each individual's t-shirt size.
The implications of this for those affected are identity theft and scams, with the quantity of data especially worrying: this is basically all you need to effectively impersonate someone. Beyond the above statement, Roblox has made no further comment, and it's likely that the ramifications of this will continue to unfold for some time, especially if anyone on the list is indeed targeted. Anyone concerned should search on haveibeenpwned and enable two-factor authentication on all accounts (as well as keeping an especially close eye on bank transactions for a while).
Hi folks, anyone seen any commentary about this @Roblox incident? I have the data and have been contacted by multiple people about it, DM me if you have a link to any further discussion on it (or other info). pic.twitter.com/giBH1UBrXnJuly 18, 2023
Troy Hunt, the engineer behind haveibeenpwned, said the leak was posted in 2021 but according to an unnamed source didn't spread outside of niche Roblox communities, while at the time the company did not publicly disclose the leak or alert anyone affected. The leak then appeared on a public forum a few days ago.
“Roblox has now contacted everyone affected," said the company in a statement sent to Hunt. "Minimally affected users just got a sorry email. For more seriously affected users they got a year of identity protection and an apology for everyone else.” There's been no further comment on the official Roblox or Roblox developer accounts.