Update: Roblox reaches out to Tech Times to clarify the previous report. It says it was not a Roblox employee who obtained the information, but a worker from an outsourcing company.
Roblox hacked from the inside; Items sold, passwords changed, two-factor authentication removed
There are many ways a hacker can break into a system. There's old-school brute force and there's social engineering which involves phishing, lying, or in this case, bribing to gain access to secured data.
In the case of Roblox, the hacker in question anonymously told Motherboard that all he needed to do was bribe a particular Roblox customer support representative to be able to gain access to the customer support panel for the popular online game.
Once inside, the hacker can do several things: view email addresses, change users' passwords, remove two-factor authentication, and ban users temporarily or permanently.
According to the hacker, he did this to "prove a point," and had no other ulterior motives. To prove that he had no ill intent, he provided several photos that show details of several players, including popular users.
This act wasn't strictly out of good intent. The hacker was able to change two passwords of two accounts, sold several items, and also updated two-factor settings once it looked like an attempt to claim a bug bounty, which doesn't exist in the game, wouldn't work.
Roblox Corporation's response to the security breach
The studio was not happy at all. A spokesperson for Roblox Corporation addressed the issue and warned the affected customers of the said violation. Naturally, they reported the hacker to the HackerOne bug bounty program for an immediate investigation.
The hacking did little damage; however, it does show that Roblox is vulnerable to social engineering attacks. An example of this would be the bribing of the customer support rep to give out information.
The reason for such actions of an employee would be that they aren't being compensated adequately. Sim swapping and other schemes wouldn't typically work if the target was well-compensated and has adequate attention of the company.
For now, unless companies can find ways to discourage their employees from taking bribes and other nefarious actions towards their employers, it's only a matter of time before something like this would happen again.
Roblox is now more popular in terms of active users compared to the popular game Minecraft. And it's all thanks to the free subscription giving anyone access to play the game. The numerous servers with different games also make it popular for kids to play especially now during the lockdown with schools forced to shut down.