Cyber Incident Victim: Roblox Corporation
Date:
Jun 2020
Location:
United States of America
Summary
Hackers compromised a grey marketplace for Roblox in-game items, stealing user data including email addresses, transactions, hashed passwords with salts, IP addresses, and seller applications containing Discord and Skype usernames. The breach was confirmed by victims verifying their information accuracy. The attacker, previously involved in bribing a Roblox insider for user data, obtained this database from another individual who infiltrated the platform, highlighting unauthorized real-money transactions prohibited by Roblox.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In June 2020, hackers compromised RBX.Place, an unofficial marketplace where Roblox players traded in-game items for real currency, exfiltrating a database containing user information dating back to 2018. The stolen data included email addresses, transaction records, hashed and salted passwords, IP addresses, Discord handles, Skype usernames, and applications submitted by individuals seeking seller status on the platform. The attacker responsible for providing the database to Motherboard disclosed that they had acquired the data from a third party who directly breached RBX.Place, noting this individual had previously bribed a Roblox insider to access the company’s user data. The hacker emphasized the sensitivity of the dataset, stating Roblox would "have a field day" with the information due to the platform’s prohibition of real-world currency transactions for virtual items. Two individuals confirmed the accuracy of their personal details within the leaked records, validating the authenticity of the breach.
The incident exposed operational details of RBX.Place’s grey-market ecosystem, where users—including some engaged in credential-stuffing attacks to steal Roblox accounts—resold virtual goods for fiat currency. While password hashing with salts indicated some security measures were implemented by RBX.Place, the compromise still revealed extensive personally identifiable information and communication identifiers that could facilitate targeted attacks or reputational harm. The data’s inclusion of seller applications and transaction histories further highlighted risks of financial fraud or retaliatory actions against participants in this unauthorized economy. No public statements from RBX.Place or Roblox regarding containment efforts, forensic analysis, or user notifications were documented in the available source material at the time of reporting. The breach underscored persistent security challenges in third-party platforms orbiting major gaming ecosystems and the potential collateral damage from overlapping cybercriminal activities.