A major data leak was publicized identifying personal information of nearly 4,000 people who attended the annual Roblox Developer Conference between 2017-2020.
The information leaked includes clothing sizes, dates of birth, email addresses, IP addresses, full names, phone numbers, physical addresses, and usernames, according to data breach tracking website haveibeenpwned. The original breach occurred on December 18 2020, with the information resurfacing on Tuesday.
An unnamed source told Troy Hunt, the engineer behind haveibeenpwned, that the data leak was originally released in 2021, initially only circulating among small Roblox cheating communities before being re-published on a much larger forum this Tuesday, drawing much more public attention. The same source mentioned that Roblox never alerted any of those affected about the data breach, leaving conference attendees unaware of their risk. Providing such an alert, they noted, is legally required in the state of California, where Roblox is headquartered.
Confronted with a more public situation, Roblox has decided to disclose the leak now. The company told Hunt that they have contacted all affected parties, offering those more seriously affected a free one-year subscription to an identity theft protection tool, with screenshots of the emails for proof. They have also released this statement to the press:
“Roblox is aware of a third-party security issue where there were indications of unauthorized access to limited personal information of a subset of our creator community. We engaged independent experts to support the investigation led by our information security team. Those who are impacted will receive an email communicating the next steps we are taking to support them. We will continue to be vigilant in monitoring and vetting the cyber security posture of Roblox and our third party vendors.”
The forum post which re-published the leak has since been deleted.