By bribing an employee of the popular online game Roblox, a hacker was able to access the company's customer support panel, which allowed him to search the personal information of other users and to give virtual money in the game.
As reported by Motherboard, the hacker was able to use this access to view other users' email addresses, change their passwords, remove two-factor authentication from their accounts, ban users, etc. The hacker shared screenshots with the media that included the personal information of some of Roblox's most prominent users, including YouTuber Linkmon99.
While the hacker could have searched for information on many users, they only accessed a handful of accounts. In an online chat with Motherboard, the hacker said, “I only did it to prove a point to them.”
Access to other users' online accounts and game objects via social engineering and corruption is bad enough, but the fact that many Roblox users are children further complicates matters.
In addition to viewing user data, the hacker was also able to reset passwords and modify other user data also based on screenshots from the customer support panel shared with the motherboard. According to the hacker, they changed the password of two accounts and sold their items.
The hacker started infiltrating the Roblox platform by paying an insider to perform data searches for them. However, it took it a step further when the hacker targeted a customer support representative for even more access to corporate systems.
The hacker even went so far as to try to claim a Roblox bug bonus that was denied because they didn't find a vulnerability but instead used social engineering and corruption to gain access to its systems.
After the hack, Roblox resolved the problem and notified the small number of affected users individually. The company also reported the hacker's actions to the HackerOne bug-bidding platform as an additional measure.
Via the motherboard