Report: Roblox ‘Insider’ Bribed for Access to Confidential Player Data

I used CookieSwirlC for the header because she's my niece's favorite. :)

Even in this modern age of two-factor authentication and password managers, there’s still only so much one can do to protect against a good ol’ fashioned greasy palm. After failing to grift their way into a phony bug bounty reward (I’ll get to that in a second), an anonymous hacker spoke to Motherboard and gave evidence that they were able to fully access the customer support backend for Roblox, an extremely popular game creation platform used by over 100 million people worldwide, many of whom are minors. The key to their success was, at least partially, a bribe delivered to a “Roblox insider.”

The insider performed “user data lookups” for the hacker, with the amount of money provided for these services left undisclosed. The hacker also phished information from a customer support representative, though which attack vector eventually proved fruitful is unclear from Motherboard’s reporting. Once they had gained access to Roblox‘s customer service system, the hacker was able to view confidential contact information, manipulate account inventories, and even alter two-factor authentication settings. Only a handful of accounts were affected by the compromise, which originally started as an attempt by the hacker to collect a bug bounty from Roblox Corporation. Per Motherboard:

Originally the hacker told Motherboard they phished a Roblox worker to gain access to the back end customer support panel, before backtracking and claiming it was due to an issue in a piece of authentication software. There is no indication such a vulnerability existed. Roblox characterized the hack in an email to Motherboard as a social engineering attack, which would be inline with phishing.

Needless to say, the hacker was unable to convince Roblox Corporation that their unauthorized access was due to a security flaw and, therefore, eligible for reward under the bug bounty program Roblox operates through the white hat hacking platform HackerOne. It was at this point that the hacker decided to cut their losses and steal items, change passwords, and mess with two-factor authentication settings, and then presumably, reach out to Motherboard for their moment of fame. “I did this only to prove a point to them,” the hacker told Motherboard, though what that point actually was remains a mystery.

If the hacker’s message was “some people can be bought,” well, okay? That’s not exactly groundbreaking information, and neither is the fact that some people can be phished into giving up sensitive corporate information — companies as big as Roblox Corporation already know how vulnerable rank-and-file contractors are to corporate espionage attempts exactly like this one. At any rate, Roblox Corporation reported the hacker to HackerOne, so they’ll hopefully have a hard time using the platform again for future attempts at defrauding major corporations of their bug bounty bullion.

This is the first time I’ve ever heard of a hacker doing black hat stuff to scam their way into a white hat payday, instead of just, like, doing the normal bad-guy hacker stuff that evil people use to steal money all the time. And if they don’t want to do the actual bad stuff (commendable!), why not learn how to do the good-guy stuff that also makes money? Why even go to the trouble of running the grift in the first place? Answer me!!