A hacker has struck the highly popular free to plaꦑy game, Roblox, using bribery of a worker to gain access to account login and email information, in game currency, an✱d other personal informatio💛n. With more than , equating to more than a bill🥀ion hours 🉐of gameplay each month, the implications here are striking.
This invasion began with the hacker initiating contact, and providing payment to an insider to look up information about users. This step was only the beginning of the attack. The next step was to use that information, and reach out to a customer service representative, to get Roblox to provide access to the 👍accounts. From there, everything from two factor authentication settings to in-game currency to full account control and information was available.
What ꧅would be the motivation for such an attack? In an anonymous interview with , the hacker said this was done, “...only to prove a poin💞t to them.” Roblox, like many corporations, offer bug bounties to those who identify vulnerabilities that can be fixed, to prevent actual aggressive attacks that could harm or breach users. The hacker did attempt to seek a bug bounty fo🍬r this attack. Unlike many so-called white hat hackers, this hacker went on to change the passwords of prominent aꦺccounts such as Linkmon99 (The richest player in Roblox), and sold items.🌠 The hacker elaborated their motivations to actually cause these ac🐷count changes and selling the items happened only after they, “had a feeling the bounty sh*t was gonna go south.”
Strong passwords? Unique email addresses. Two factor authentication? All of these did not protect users, highlighting an unfortunate threat via hackers to seek valuable personal information and in game items. This was a complex phishing attack, beginning not by a common insider acquaintance, but via the professional social media site LinkedIn🌼. After bribing the employee (and keeping screenshot records of this discussion), the attack resumed. While common, and even important to have an updated LinkedIn profile, users with access to protected information of others are in an especially vulnerable position to be phished in a similar fashion.
Roblox gavꦛe an official statement on the incident, noting that the very small number of users who were affected were notified🎃, and action was taken to address the issue. The team at Roblox went on to elabor🐟ate that the issue was escalated to HackerOne, their official bug research program to identify vulnerabilit🐼ies to protect users.
Source: