Breach, Threat Management, Data Security, Threat Management, Malware, Phishing

Roblox hacker enabled by insider threats; expert offers tips to curb rogue employees

A hacker reportedly used both bribery and social engineering to gain unauthorized access to a customer support system operated by the popular video game Roblox -- illustrating why companies must be on the lookout for employees who fit the mold of an insider threat.

The unnamed hacker told Motherboard that they paid one insider to perform user data lookups for them, and then later phished an unwitting customer support representative in order to access the back-end system. The actor reportedly backtracked at one point and blamed their access on an exploited vulnerability, but Roblox later stated that social engineering was, indeed, involved.

By entering the system, the hacker reportedly had the ability to view gamers' email address, change their passwords, remove two-factor authentication protections, ban users and more. The individual reportedly demonstrated this by changing the password for two accounts and selling off their items.

These developments are especially concerning because Roblox is a highly popular online game platform and game creation system with 100 million monthly active users, many of whom are children looking for entertainment while stuck at home due to the COVID-19 pandemic.

Unfortunately, the actions of two Roblox employees apparently helped the hacker expose these users. While it can be difficult stopping insiders from causing security breaches, one expert advised SC Media on steps companies can take to reduce the risk of employees being bribed or phished.

"In terms of quantity, phishing attacks are much more common than bribery. However, you would be surprised how often [bribery is] happening," said It is especially common with outsourced developers, third-party contractors and employees who are new to an organization," said Matt Radolec, director of security architecture and incident response at data security and insider threat detection company Varonis Systems. "In one case, we identified an outsourced developer who accepted a bribe to modify a single API query to exfiltrate the information from the query both to the maker of query and to organization doing the bribing."

To guard against these incidents, "Organizations should track employee performance and satisfaction to monitor for insider threats. From our experiences, insiders will have more than one warning indicator that they are susceptible to a bribe," Radolec continued. "For instance, accessing large amounts of data they wouldn't typically, trying to access executive mailboxes or pay/salary information."

If these preventative measures don't help pinpoint potentially dangerous or negligent employees, then there are also safeguards companies can introduce to detect harmful behaviors more quickly. Radolec suggested that companies leverage behavior analytics in order to get a sense of which files, folders, sensitive data and devices employees typically use, and how users consumer perimeter resources.

Per Motherboard, a Roblox spokesperson commented on the hack, stating: "We immediately took action to address the issue and individually notified the very small amount of customers who were impacted." The spokesperson also noted that the incident was reported to Roblox's official vulnerability disclosure platform provider HackerOne, after the hacker tried to claim a bug bounty for performing the systems intrusion.

The hacker reportedly told Motherboard that they did it to "prove a point" and only tinkered with user accounts after the bug bounty attempt failed. SC Media contacted HackerOne for its take on the incident, and the company declined to comment.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.