A hacker bribed a customer support representative of the popular online video game platform, Roblox to get access to the back end customer support panel, reports Motherboard.
With this access, this anonymous attacker could see users’ email addresses, as well as change passwords, remove two-factor authentication from their accounts, prevent users temporarily or permanently, and more.
The hacker shared screenshots and disclosed details with Motherboard, which include the personal information of some of the most high profile users on the platform. Such information would normally be secured, something which Motherboard was able to confirm with hacked Roblox users.
Also Read- Best Roblox Games That You Must Play
Besides having the ability to see email addresses, the hacker could also change passwords or turn two-factor authentication on or off.
While the hacker could have searched for information on many users, it appears that he restricted his actions to only high-profile user accounts.
“I did this only to prove a point to them,” and to collect a bounty on a security bug and had no other hidden motives, the intruder revealed to Motherboard in an online chat.
Roblox reported the incident to its bug bounty platform HackerOne for further investigation, as no vulnerability existed.
Once it was clear that the attempt to claim a bug bounty wouldn’t work, the hacker updated two-factor settings of user passwords and stole their Roblox items once they “had a feeling the bounty shit was gonna go south.”
Not pleased with the attack, a Roblox spokesperson told Motherboard in an email, “We immediately took action to address the issue and individually notified the very small amount of customers who were impacted.”?
According to Roblox, the hack was more of a social engineering attack, which involves phishing, in this case, bribing of the customer support representative to give out secured information.
Roblox is available across PC, Xbox, and mobile devices. While the hacking did little harm, it does show that Roblox is vulnerable to social engineering attacks and the company need to implement more effective measures to protect users’ personal data.