Almost 4,000 Roblox users have had their personal information leaked after unauthorized parties gained access to profile data. This information includes full names, phone numbers, IP addresses, and even T-shirt sizes.
Users affected the most by the leak are being offered a one-year subscription to an identity theft protection tool, paid for by Roblox. However, one of the affected users claims that the company was aware of the breach back in 2021 when the data was first accessed, having been shared around the Roblox community at this time too. This raises serious concerns about the company's protection of its developers, many of which are fans creating games sometimes for very little in return.
"In July 2023, a list of alleged attendees from the 2017-2020 Roblox Developers Conferences was circulated on a forum," reads a message from the data protection website, haveibeenpwned.com. "The data contained 4k unique email addresses along with names, usernames, dates of birth, phone numbers, physical and IP addresses and T-shirt sizes."
Troy Hunt, the creator of haveibeenpwned.com, has gone on to share emails he's received from those affected. He has also seen emails sent to users by Roblox itself, offering a year of protection to those who have had the most data released.
Roblox has since issued a statement to PC Gamer, although it says that the personal information obtained has been "limited".
"Roblox is aware of a third-party security issue where there were indications of unauthorized access to limited personal information of a subset of our creator community," reads the statement. "We engaged independent experts to support the investigation led by our information security team. Those who are impacted will receive an email communicating the next steps we are taking to support them.
"We will continue to be vigilant in monitoring and vetting the cyber security posture of Roblox and our third-party vendors."
The wording in Roblox's statements on the matter suggests that the affected developers are ordinary users, as it says the victims come from a "subset of [its] creator community." That would explain why the information was reportedly gathered from the annual Roblox Developers Conference - an event attended by the most dedicated users.
It's not yet clear if the third party that accessed and leaked the data has done anything else with it so far. Although in one email sent to Troy Hunt, a user says that others have noticed an uptick in malicious calls, texts and emails. It remains to be seen if the protections offered by Roblox can protect the victims from this and other behaviour.