[BreachExchange] Hackers Compromise A Grey Market That Trades In Roblox Items

Destry Winant destry at riskbasedsecurity.com
Tue Jun 23 10:29:35 EDT 2020


Hackers have compromised a grey marketplace called “RBX.Place” that
has exposed the personal data of its users, according to the database
obtained by Motherboard.

For those unaware, RBX.Place is a website where players of the hugely
popular online game, Roblox, can buy and sell in-game items in
exchange for real money. However, RBX.Place is a site independent of
Roblox itself.

The exposed data that appears to date from 2018 includes email
addresses, transactions, hashed passwords, and other personal
information of users of the RBX.Place website.

Roblox, an online game platform and game creation system available on
Xbox, PC, and mobile devices, allows users to program games and play
games created by other users. The platform hosts user-created games in
many genres, such as racing games, role-playing games, simulations and
obstacle courses, coded in the programming language Lua.

Several current and former members of the Roblox community speaking on
condition of anonymity have revealed to Motherboard that hackers have
hacked into their Roblox accounts, stolen their items and later sold
them for cash on RBX.Place website.

The information in the hacked RBX.Place database was confirmed to be
accurate by two people whose data was included, reported Motherboard.
Other personal exposed data of the users also include Discord handles,
Skype usernames, and IP addresses, which they had to provide to become
sellers on the site.

RBX.Place is conducting its operations in a grey marketplace as Roblox
platform doesn’t allow selling in-game items as it is against the
rules. In Roblox’s Terms of Service, it specifically states under the
heading “Final Payment“:

“All payments for Robux are final and not refundable or exchangeable,
except as required by applicable law. You may not transfer, assign,
sell, gift, exchange, trade, convert, lease, sublicense, rent, or
distribute Robux except through the Service and as expressly permitted
by us. Any disposition or attempted disposition of Robux in violation
of these Terms will be void and will result in immediate termination
of your Account and your license to use Robux. We do not recognize or
condone any third-party services that may be used to sell, exchange,
transfer, or otherwise dispose of Robux. We do not assume any
responsibility for, and will not support, such transactions.”

According to Motherboard, the hacker who provided the database to the
publication is the same hacker who previously bribed a Roblox customer
support representative to get access to the back end customer support
panel. This hacker is not responsible for the breach but is the one
who bought it from someone who compromised the site.

“Roblox would have a field day with this database because USD selling
ain’t allowed anyway,” the hacker told Motherboard in an online chat.

When Motherboard contacted a RBX.Place staff member for comment, they
were directed to the website’s owner who could not be reached. If you
are a member of the RBX.Place, it is advisable to stay away from
buying or sell anything on the website.

More information about the BreachExchange mailing list