A major Roblox data breach
A major Roblox Data Breach has seen the personal information of almost 4,000 people who attended the Roblox Developer Conference between 2017 and 2020 leaked online, including their names, addresses, phone numbers, and email addresses. The information, which also includes each individual’s t-shirt size, has been made available on a public website for almost two years, and Roblox has made no public comment about it until now.
Such identifying information is gold dust for bad actors, and the sheer quantity of data involved here is especially worrying: this is basically all you need to effectively impersonate someone. The implications here are wide-ranging, from identity theft and scams to more sinister motives.
The gaming platform, which is one of the largest in the world, was informed of the breach as far back as 2021, with the information becoming available as of 18 July 2023 (according to the website haveibeenpwned, which lets you check if your accounts have been compromised).
The site says the original breach date was 18 December 2020, with the information becoming available on 18 July 2023, with a total of 3,943 compromised accounts. You can check if you have been affected here.
If you find that you have, I would highly recommend searching on haveibeenpwned, enabling two-factor authentication on all accounts (as well as keeping an especially close eye on bank transactions for a while), and registering for identity protection services if you can.
The engineer behind haveibeenpwned, Troy Hunt, said the leak was posted in 2021 but according to an unnamed source didn’t spread outside of niche Roblox communities.
“Roblox is aware of a third-party security issue where there were indications of unauthorized access to limited personal information of a subset of our creator community,” a Roblox spokesperson via email. “The incident has been resolved, and we have contacted all minimally affected users. For more seriously affected users, we have contacted them directly and provided additional information about the incident and steps they can take.”
Well, doesn’t look like Roblox was being especially vigilant here. If you were on that list, I imagine you’d rather they tell you about it in 2021 than wait until 2023.
If you have been affected, minimally you just got a sorry email, for more seriously affected users they got a year of identity protection and an apology for everyone else.
There’s been no further comment on the official Roblox or Roblox developer accounts.
Featured image credit: Shutterstock.
