Sensitive information belonging to thousands of creators on the popular online gaming platform, Roblox, has been exposed following a data breach that occurred at a conference for Roblox developers. The breach, which allegedly remained undisclosed by Roblox for at least two years, has raised concerns about the security of user data on the platform.
According to PC Gamer, the leak includes personal information from individuals who attended the Roblox Developer Conference between 2017 and 2020. The exposed data includes names, usernames, dates of birth, physical addresses, email addresses, IP addresses, phone numbers, and even T-shirt sizes.
Upon discovering the breach, Roblox released a statement acknowledging the incident. A spokesperson for the company stated that they were aware of a third-party security issue that resulted in unauthorized access to limited personal information of a subset of their creator community. They further mentioned that independent experts were engaged to support the investigation led by their information security team. Roblox pledged to take necessary steps to support those affected by the breach, and impacted users would receive an email with details about the next course of action.
The breach was first brought to public attention by Troy Hunt, the creator of the website Have I Been Pwned. Hunt received notifications from multiple sources about the publication of private data of Roblox users. One of Hunt’s sources revealed that the initial breach took place in 2021 and was limited to niche cheating communities within Roblox. The source also claimed that high-profile users impacted by the breach had begun receiving malicious calls, texts, and emails. The leaked data puts individuals at risk of various scams and harassment, including identity theft.
Have I Been Pwned reported that the original breach may have occurred even earlier, on December 18th, 2020, and a total of 3,943 Roblox accounts were compromised. It is alarming that Roblox did not publicly disclose the breach until this week. However, in a statement sent to Hunt, Roblox confirmed that they have now contacted everyone affected by the breach. Users who were minimally affected received a notification email, while more seriously affected users were offered a year of identity protection and an apology.
There are concerns about the impact of this data breach, particularly considering that Roblox allows children as young as 13 to join its developer program. While the gaming platform is not specifically designed for children, it is extremely popular among minors. The Q1 earnings report for 2023 from Roblox indicates that 43 percent of the platform’s 66.1 million daily active users are under the age of 13. This makes the leaked data even more sensitive and poses significant risks, as children are particularly vulnerable to online scams and exploitation.
As of now, it is unclear when the initial breach occurred and whether Roblox had previously notified individual account holders affected by the leak. We have reached out to Roblox for clarification and will provide updates if we receive a response.
This breach highlights the importance of robust security measures and the need for companies to prioritize the protection of user data, especially when dealing with platforms that attract a significant number of young users. The incident serves as a reminder for individuals to practice good online hygiene, such as using strong and unique passwords, enabling two-factor authentication, and being cautious of sharing personal information online.
