Roblox Data Breach: PII of Thousands of Developers Stolen

It turns out that Roblox suffered a data breach in 2021, but the company only revealed its details this week.
Roblox Data Breach: PII of Thousands of Developers Stolen

In total, 3,943 Roblox developer accounts were compromised but what’s more concerning is that, apart from adults, children aged 13 and above are also allowed to join the Roblox Developer program.

Back in 2021, Roblox suffered a data breach, but the company reportedly hid this information for at least two years. The breach mainly impacted attendees of past conferences held between 2017-2020 for Roblox developers, who now risk harassment and online scams like identity theft.

The website Have I Been Pwned’s creator Troy Hunt brought the data exposure to public attention on 18th July. According to Hunt’s tweet, several people informed him about their private details available online. However, Hunt stated that the breach’s impact didn’t go beyond Roblox’s niche cheating communities.

Hunt explained that the breach originally occurred on 18th December 2020, and around 3,943 accounts were compromised. The exposed data included sensitive details such as names, usernames, phone numbers, email IDs, IP addresses, home addresses, date of birth, and T-shirt sizes. When he informed the company, Roblox said they had contacted all affected individuals.

“Minimally affected users just got a sorry email. For more seriously affected users, they got a year of identity protection and an apology for everyone else,” Roblox’s response to Hunt read.

Roblox Data Breach: PII of Thousands of Developers Stolen
Emails sent by Roblox

Roblox admitted that a third-party security issue led to unauthorized access to a subset of personal data belonging to its creators. The company collaborated with independent experts and launched an investigation to determine the cause and impact of this incident.

The companies maintained that it will send all impacted creators an email informing them about the steps Roblox intends to take to support them, and they will now vigilantly monitor and vet its cybersecurity systems and the affiliated third-party vendors.

It must be noted that, apart from adults, children aged 13 and above are also allowed to join the Roblox Developer program, according to this Roblox guide. However, the platform isn’t designed for minors.

This is why the data leak can have a far-reaching impact, considering that, according to the first quarter earnings report of 2023, approximately 43% of Roblox’s over 66 million daily active users were minors.

Roblox Data Breach: PII of Thousands of Developers Stolen
The leak data seen by shows the records indeed contain data of teen developers (Image credit:

The exposure of email IDs can expose users to phishing attempts or spam campaigns. Moreover, targeted scams can be launched easily using other details.

In a comment on the Roblox breach, Samantha Humphries, Head of Security Strategy EMEA, Exabeam told that “The threat actors who conducted the attack were likely not going after Roblox, but the personal accounts and workplaces of those who attended the conference. Rather than attack each organisation individually, the adversary probably figured it would be easier to break through Roblox, particularly because this isn’t the company’s first data leak incident.”

Samantha warned that “For any organisation that had representatives attending the conference, it’s critical to have visibility and insights into user activities to detect anomalies, investigate, and then mitigate any abnormal behaviour.”

“To reduce the chance of unauthorised third-party access, which Roblox confirmed contributed to the release, I would encourage organisations to create a vendor risk management plan, thoroughly vet third parties, and require accountability to remain vigilant and align to best cybersecurity practices such as strong password management, Samantha advised.

Roblox is a widely used platform boasting an extensive user base and developer community. But, the platform is criticized for weak security. The company claims to protect user privacy and data, but its attempt to hide the breach for such a long time has tainted users’ trust.

Users should take precautionary measures while using these services. Always change your password periodically and enable 2FA authentication. Keep monitoring financial accounts to identify suspicious activities promptly.

  1. Hackers deface Roblox accounts with pro-Trump messages
  2. Epic Games Forums Suffer Data Breach; 800k Accounts Stolen
  3. Town of Salem data breach: Personal data of 7.6M gamers stolen
  4. Game giant Electronic Arts is the latest victim of massive data breach
  5. Fake ROBLOX and Nintendo game cracks drop ChromeLoader malware
Related Posts