A “grey” Roblox market called “RBX.Place” has been compromised by hackers, and all user information from 2018 got stolen. Motherboard got a chance to look at a sample of the data, and they confirm that there are email addresses, financial transactions, hashed passwords, and various types of personal information like Skype usernames and user IP addresses in it. The tipster who reached the publication was not the hacker responsible for the compromise, but one that bought it from the direct actors. So far, there has been no announcement to acknowledge the incident coming from the marketplace. Still, if you’re a member, you are advised to revert from trying to buy or sell anything there.
The particular market is operating in a grey area because selling in-game items from the Roblox platform is against the rules. That said, if the game publisher accesses this data, they may ban many users for violation of the terms of conditions. As for the leak of the passwords, this isn’t introducing a noteworthy risk for stuffing attacks, as the hashing algorithm used is reportedly quite resilient to cracking. Thus, the exposed people have more to fear from the Roblox Corporation rather than the hackers who stole their data.
Roblox is a massively popular online gaming platform and game creation system where users produce, share, and play games created by others. It’s an entire universe consisting of racing games, role-playing games, platformers, simulation titles, socializing games, tycoon and time management games, and more. Roblox counts over 100 million active users every month, and it’s available on the Xbox, PC, Android, and iOS platforms. Users are allowed to sell items to other users, but not for real money. This hasn’t stopped people from joining unofficial grey markets and make the transactions there, so there’s a considerable size of economic activity going on around Roblox.
This is a good opportunity to highlight the risks that come with using these unofficial platforms. First, you are trusting an unknown entity with your payment details, and very often, your credit card. Secondly, you have no protection against chargebacks or other types of financial fraud. Thirdly, you are risking paying for something that you’ll never receive. The compromise of “RBX.Place” proves that these stores do not invest a lot in the protection of their users’ data, and even if they work as promised, they are not without any risks.