[BreachExchange] CHILDREN’S COMPUTER GAME ROBLOX INSIDER TRICKED BY HACKER FOR ACCESS TO USERS’ DATA

[Destry Winant]

https://www.independent.co.uk/life-style/gadgets-and-tech/news/motherboard-rpg-roblox-hacker-data-stolen-richest-user-a9499366.html

A hacker who bribed a worker for the online video game Roblox managed
to gain access to the personal information of a smaller number of
users, the ability to change passwords and email addresses, and
allocate in-game currency.

The hacker first paid an insider to look up data about users, and then
targeted a customer support representative. They said they did it to
“prove a point” to the company.

Speaking to Motherboard under the condition of anonymity, the hacker
could also change security settings, enact bans, and steal items from
other users.

Roblox is a free-to-play game that “lets you play, create, and be
anything you can imagine,” according to its description on the
Microsoft Store. It is available on a number of platforms, including
Android and iOS smartphones, Xbox game consoles, and Windows
computers.

Players can customise characters and then navigate ‘minigames’ such as
running obstacle courses, scuba diving, acting as a superhero, and
many other activities.

Man spends £1m on game character before friend accidentally sells it

According to Techcrunch, its millions of users rage from between eight
and 18, although its key demographic is between nine and 15 years old.

“A lot of kids come to Roblox to play with their friends,” Craig
Donato, Roblox Chief Business Officer told Techcrunch. “It’s like a
virtual playground where they tend to jump from game to game with
their friends – almost like jumping like I used to jump from the swing
set to the monkey bars.”

In screenshots reportedly seen by Motherboard, the hacker claimed to
show a customer support panel containing user data from high-profile
players such as YouTuber Linkmon99 – known for being the "richest"
player due to the value of their in-game items.

The YouTuber confirmed to Motherboard that the email address shown was
one “secretly” used on their account after it had been hacked
previously, and had received messages from the hacker.

"I knew it must be true because there's no other way anyone else could
have found that email or other private info that was attached
regarding my moderation history, account status, etc" they said.


The hacker was able to trick a Roblox worker to gain access to the
customer support panel in an attempt to receive compensation for
finding a bug in Roblox’s system, the person claimed, although there
is no indication of a vulnerability actually existing.

In a statement to Motherboard, a Roblox spokesperson said that the
company "immediately took action to address the issue and individually
notified the very small amount of customers who were impacted. We’ve
also reported the actions of this individual to HackerOne [the bug
bounty platform] for investigation as an additional measure."