Sensitive information identifying thousands of Roblox creators has been exposed following a data breach impacting attendees at a conference for Roblox developers, which allegedly remained undisclosed by the company for at least two years. As reported by PC Gamer, the leak contains personal information from people who attended the Roblox Developer Conference between 2017-2020, including names, usernames, date of birth, physical addresses, email addresses, IP addresses, phone numbers, and even T-shirt sizes.
Data breach exposes personal information of 4,000 Roblox developers
Data breach exposes personal information of 4,000 Roblox developers
“Roblox is aware of a third-party security issue where there were indications of unauthorized access to limited personal information of a subset of our creator community,” said a Roblox spokesperson to PC Gamer. “We engaged independent experts to support the investigation led by our information security team. Those who are impacted will receive an email communicating the next steps we are taking to support them. We will continue to be vigilant in monitoring and vetting the cyber security posture of Roblox and our third-party vendors.”
Troy Hunt, creator of the website Have I Been Pwned, brought attention to the leak on July 18th after “multiple people” notified him that the private data had been published online. According to one of Hunt’s sources, the initial data breach dates back to 2021, but didn’t spread beyond “niche cheating communities within Roblox.” The source also claims that an undisclosed number of “high-profile users” impacted by the leak have started receiving malicious calls, texts, and emails. As noted by PC Gamer, the identifying data leaked opens up individuals to all sorts of scams and harassment, including identity theft.
Have I Been Pwned reports that the original breach may have occurred even earlier on December 18th, 2020, and that 3,943 Roblox accounts have been compromised. Roblox did not publicly disclose the breach until this week. “Roblox has now contacted everyone affected,” said the company in a statement sent to Hunt. “Minimally affected users just got a sorry email. For more seriously affected users they got a year of identity protection and an apology for everyone else.”
We have reached out to Roblox to clarify when the initial breach occurred, and if the company had previously notified individual account holders impacted by the leak. We will update this story should we hear back.
Given the sensitive nature of the leaked data, the impact of this could be especially nefarious when you consider that children as young as 13 are permitted to join Roblox’s Developer program. The gaming platform isn’t designed specifically for children, but it is extremely popular with minors. According to the company’s Q1 earnings report for 2023, 43 percent of the platform’s 66.1 million daily active users are under 13.