What just happened? Roblox, the online gaming platform that’s loved by younger players, has had its user data accessed by a hacker. Rather than using more traditional means of breaching systems, a worker was bribed to gain access to the back end customer support panel.
As reported by Motherboard, the hacker was able to look up the personal information of over 100 million active monthly users. The perpetrator could see email addresses, change passwords, remove two-factor authentication from accounts, ban users, and even hand out in-game currency.
While they could have accessed information on many of the game’s users, the hacker only looked up a small number of accounts. Speaking to the Motherboard, the person said they “did this only to prove a point to them.”
Roblox, which is available on multiple platforms (download it here), lets people create their own games or play ones made by others. It’s incredibly popular with children and has a massive YouTube community. One of the most high-profile players, YouTuber Linkmon99, had his data accessed by the hacker, who took screenshots of their actions as proof.
“That email address is the one secretly linked to my account," Linkmon99 confirmed.
The hacker was able to do more than just view data. They changed the passwords for two accounts and sold their items. Another screenshot showed a successful disabling of two-factor authentication on a different account.
As the platform was breached, the hacker attempted to claim a bug bounty from Roblox, but because this was achieved using social engineering and bribery, rather than a vulnerability, the company refused to pay.
Roblox said it has now notified the users that were affected and reported the incident to bug bounty platform HackerOne.
If there's one thing the incident proves, it's that the weakest link in a network’s security chain is often its workers.