Roblox data breach exposes developer data
Developers who attended a Roblox conference may have had their data stolen
Add bookmarkNote: The title of this article has been changed to reflect that Roblox's creator and developer community was impacted by the data leak, not its employees.
Attendees of the Roblox Developer Conference between 2017-2021 may have had their personal data leaked.
News of the data breach was broken on X (previously known as Twitter) by Troy Hunt, creator of the site Have I Been Pwned. Have I Been Pwned allows users to search their name and details to see if they have been leaked in any data breaches.
In an anonymous message sent to Hunt, a source said that all those who attended the Roblox Developer Conference had their data leaked. According to the source, the data accessed during the cyber attack included full names, birth dates, email, home and IP addresses and phone numbers. The source also said that the data had been posted online.
Hi folks, anyone seen any commentary about this @Roblox incident? I have the data and have been contacted by multiple people about it, DM me if you have a link to any further discussion on it (or other info). pic.twitter.com/giBH1UBrXn
— Troy Hunt (@troyhunt) July 18, 2023
The source said they discovered the leak when “some Turkish person” contacted them via Whatsapp after searching their username. They checked Have I Been Pwned to see if they had been the victim of a data leak, but it did not appear they had been. Following this, the source contacted Hunt to ask him to include details of the data breach on the site.
Another source contacted Hunt about the data leak. The source backed up information already sent to Hunt, while also alleging that Roblox never publicly or internally disclosed the data leak, meaning those affected were not informed about the cyber attack.
The source said the leak had been re-published online recently, where it had been garnering “significant attention” from both malicious and non-malicious parties. The source alleged that this re-publishing of stolen data had seen “high-profile users” receive “malicious calls, texts and emails”.
Email from a different person on this. Looks like the data appeared on a forum, was grabbed by a bunch of people then disappeared. Nearly 4k addresses by my count. pic.twitter.com/fwfeENcAT4
— Troy Hunt (@troyhunt) July 18, 2023
On July 20, Roblox addressed the data leak, saying to Hunt that the company had contacted everyone affected.
Concerning the data leak notifications, Roblox said that: “Minimally affected users just got a sorry email. For more seriously affected users they got a year of identity protection and an apology for everyone else.”
On July 24, a Roblox spokesperson reached out to Cyber Security Hub regarding the data leak, saying: "Roblox is aware of a third-party security issue where there were indications of unauthorised access to limited personal information of a subset of our creator community. We engaged independent experts to support the investigation led by our information security team.
"Those who were impacted have received an email communicating the next steps we are taking to support them. We will continue to be vigilant in monitoring and vetting the cyber security posture of Roblox and our third party vendors."