A hacker is accused of bribing an employee of the game Roblox and gaining access that allowed the hacker to see user account info, reset passwords, and grant virtual in-game currency, by way of the back end customer support panel of the massively popular online video game.
Roblox claims more than 100 million monthly users, and VICE originally reported that the hacker accessed up to that many accounts. A Roblox spokesperson contacted Boing Boing to clarify that this wasn't accurate, and that only a small number of accounts were accessed, then the abuse was shut down.
Reports Joseph Cox at VICE Motherboard:
With this access, the hacker could see users' email address, as well as change passwords, remove two-factor authentication from their accounts, ban users, and more, according to the hacker and screenshots of the internal system. The screenshots shared with Motherboard include the personal information of some of the most high profile users on the platform.
The hacker could have looked up information on many users, although it appears they limited their actions to a handful of accounts. The news highlights not only the risk of insiders at companies exploiting their access to user data, but, with Roblox catering to a large audience of minors, how hackers may access the data of children.
"I did this only to prove a point to them," the hacker told Motherboard in an online chat. Motherboard granted the hacker anonymity to speak more candidly about a criminal incident.
Roblox is available across PC, Xbox, and mobile devices. Users can create their own games with their platform's engine or play others' creations. Roblox also leans heavily into microtransactions, with users able to buy game-passes to access more powers and abilities, or they can purchase cosmetic items for their character with in-game currency. Roblox game developers can also cash-out and earn real money from their creations.
Hacker Bribed 'Roblox' Insider to Access User Data
This is some of the stuff the Roblox hacker could have done, and did some of to at least a few accounts. If you can't hack a site/service/application, the customer support reps may help you out for a little bit of cash https://t.co/B72cNH29I8 pic.twitter.com/N9yhDwJxRk
— Joseph Cox (@josephfcox) May 4, 2020