Roblox Accounts Got Hacked By Allegedly Bribing An Insider [Updated]
While Minecraft is often regarded as the creativity platform that started it all, Roblox is perhaps the one that was able to capitalize on it best. The User-Generated Content or UGC platform boasts of thousands of players, many of them young kids, and has become an educational platform especially in the past months. Given the audience, you'd expect the company to be extra careful about its security. One hacker tries to prove it isn't but its message has been muddied by the methods used to convey it.
The hacker didn't really go through the usual routes that both traditional hackers and even white hat hackers take to get inside Roblox's servers. The latter groups would do hard, technical work to exploit vulnerabilities in the security systems used to protect a server. This hacker that disclosed to Motherboard the data it was able to pilfer paid or phished a Roblox employee to get the access he or she needed instead.
It's not that the hacker wasn't really able to get in. He showed screenshots and disclosed details that would normally be secured, something Motherboard was able to confirm with hacked Roblox users. For better or worse, the hacker limited his access to only the high-profile user accounts, though he did have the ability not only to see their email addressed but also to change passwords or turn two-factor authentication on or off.
The hacker said he only did it to prove a point to Roblox and to collect a bounty on a security bug. That vulnerability, however, doesn't exist and Roblox reported the incident to its bug bounty platform HackerOne for further investigation. Once it was clear that no bounty award would be given, the hacker decided to do more damage and changed user passwords and stole their Roblox items. Update: A Roblox spokesperson tells us that the company declined the bounty after the hacker changed passwords and stole Roblox items from other users, not before.
The incident doesn't detract from the fact that Roblox should indeed be more careful given the audience it caters to. The hacker could have chosen a better way to get that message across but his actions perhaps proved that he had less than benign intentions from the start.