Sensitive information that identifies thousands Roblox creators has been exposed after a data breach that affected attendees at a conference for Roblox developers, which allegedly remained undisclosed by the company for at least two years. As reported by PC Gamerthe stream contains personal information from the people who participated Roblox Developer Conference between 2017-2020, including names, usernames, date of birth, physical addresses, email addresses, IP addresses, phone numbers, and even t-shirt sizes.
“Roblox is aware of a third-party security issue where there were indications of unauthorized access to limited personal information of a subset of our creator community,” said a Roblox the spokesperson of PC Gamer. “We engaged independent experts to support the investigation led by our information security team. Those affected will receive an email communicating the next steps we are taking to support them. We will continue to be vigilant in monitoring and verifying the cybersecurity posture of Roblox and our third-party vendors.”
Troy Hunt, creator of the website Have I Been Pwned, drew attention to the leak July 18 after “multiple people” notified him that private data had been published online. According to one of Hunt’s ResourcesThe initial data breach dates back to 2021, but did not spread beyond “specific fraudulent communities within Roblox.The source also claims that an undisclosed number of “high-profile users” affected by the leak have started receiving malicious calls, texts and emails. As noted by PC gamer, leaked identifying data opens individuals up to all kinds of fraud and harassment, including identity theft.
Have I Been Pwned reports that the original breach may have occurred as early as December 18, 2020, and that 3,943 Roblox accounts have been compromised. Roblox did not publicly disclose the breach until this week. “Roblox has now contacted all those affected,” the company said in a statement sent to Hunt. “The minimally affected users received an apology email. For the most severely affected users, they received a year of identity protection and an apology to everyone else .”
We have reached Roblox to clarify when the initial breach occurred and whether the company had previously notified individual account holders affected by the breach. We’ll update this story if we hear back.
Given the sensitive nature of the leaked data, the impact of this could be particularly nefarious when you consider that children as young as 13 are allowed to join RobloxDeveloper Program. The gaming platform is not specifically designed for children, but it is IS extremely popular with minors. According to the company’s first quarter 2023 earnings report, 43 percent of the platform’s 66.1 million daily active users are under the age of 13.