Children’s computer game Roblox insider tricked by hacker for access to users’ data

The hacker had access to personal information, the ability to change passwords and two-factor authentication, and could steal valuable in-game items from some of the 'richest' players in the game

Adam Smith
Wednesday 06 May 2020 09:35
Comments

A hacker who bribed a worker for the online video game Roblox managed to gain access to the personal information of a smaller number of users, the ability to change passwords and email addresses, and allocate in-game currency.

The hacker first paid an insider to look up data about users, and then targeted a customer support representative. They said they did it to “prove a point” to the company.

Speaking to Motherboard under the condition of anonymity, the hacker could also change security settings, enact bans, and steal items from other users.

Roblox is a free-to-play game that “lets you play, create, and be anything you can imagine,” according to its description on the Microsoft Store. It is available on a number of platforms, including Android and iOS smartphones, Xbox game consoles, and Windows computers.

Players can customise characters and then navigate ‘minigames’ such as running obstacle courses, scuba diving, acting as a superhero, and many other activities.

According to Techcrunch, its millions of users rage from between eight and 18, although its key demographic is between nine and 15 years old.

“A lot of kids come to Roblox to play with their friends,” Craig Donato, Roblox Chief Business Officer told Techcrunch. “It’s like a virtual playground where they tend to jump from game to game with their friends – almost like jumping like I used to jump from the swing set to the monkey bars.”

In screenshots reportedly seen by Motherboard, the hacker claimed to show a customer support panel containing user data from high-profile players such as YouTuber Linkmon99 – known for being the "richest" player due to the value of their in-game items.

The YouTuber confirmed to Motherboard that the email address shown was one “secretly” used on their account after it had been hacked previously, and had received messages from the hacker.

"I knew it must be true because there's no other way anyone else could have found that email or other private info that was attached regarding my moderation history, account status, etc" they said.

The hacker was able to trick a Roblox worker to gain access to the customer support panel in an attempt to receive compensation for finding a bug in Roblox’s system, the person claimed, although there is no indication of a vulnerability actually existing.

In a statement to Motherboard, a Roblox spokesperson said that the company "immediately took action to address the issue and individually notified the very small amount of customers who were impacted. We’ve also reported the actions of this individual to HackerOne [the bug bounty platform] for investigation as an additional measure."

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged in