The 2016 Roblox security breach was an incident which led to the user data of 100,000 players being exposed to an unauthorized group of individuals. The breach was mentioned by Roblox administrators in a security update blog post.[1]
Incident[]
In July 2016, a group of unauthorized individuals accessed the Customer Service admin panel of a Roblox test site, which contained a full copy of a Roblox production database from 2012. This was done using a compromised staff account.
Any Roblox user data until 2012 could have been accessed by the attackers, including the following:
- Transaction logs (excludes full credit card numbers)
- Robux balances
- Previous email addresses
- Login logs with IP addresses
The attackers scraped the admin panel for user data until they were kicked out by Roblox staff. While it is unknown how many users truly had their data compromised, the leaked databases resulting from this breach put the count at over 100,000. The data of around 50,000 users were publicly leaked on the internet.
Aftermath[]
Prompt requiring account owner to reset their password via email.
The leaked databases were used to compromise many old accounts, both by the individuals behind the breach, and other users who obtained the files from forums. The files contained the data of around 50,000 Roblox accounts which join dates ranged from February 2006 to September 2007. Additionally, the email addresses of certain players with high value limiteds were also leaked as a result of this breach in January 2017.
A few weeks after the breach occurred, Roblox created a blog post titled Security Update, which includes a vague mention of the breach. As an added security measure, a Security Notification screen was added to certain accounts, forcing some account owners to reset their passwords via email.