Roblox suffered a data breach that exposed personal information for nearly 4,000 developers, according to reporting by PC Gamer. The leaked records included names, phone numbers, email addresses, dates of birth, physical addresses, and even t-shirt sizes collected from attendees of the Roblox Developers Conferences held between 2017 and 2020. In total, 3,943 developer profiles were compromised.
Roblox Corporation acknowledged a third-party security issue and said company staff saw indications of unauthorized access to a limited subset of creator data. The company said it engaged independent experts to investigate and began notifying impacted people.
Independent breach tracker haveibeenpwned reported that the compromise occurred in December 2020 and that the dataset only became publicly available in July 2023. Reporting indicates that in 2021 the information circulated within small Roblox communities but did not spread widely until it was reposted to a public forum in July 2023.
Because the exposed records contained multiple personal identifiers, security researchers warned the data can be used for identity theft and targeted scams. Several affected developers reported receiving social engineering attempts that used details from the leak to make messages appear legitimate.
Roblox said it had contacted those affected and offered services to individuals who faced more significant impact. In a statement shared with Troy Hunt, the creator of haveibeenpwned, Roblox said, “Minimally affected users just got a sorry email. For more seriously affected users, they got a year of identity protection and an apology for everyone else.” You can view the post from Troy Hunt on Twitter.
Questions remain about when Roblox first learned of the breach and how quickly it notified affected creators. The full consequences for people listed in the leaked records may continue to unfold, and security professionals urged developers to be cautious with unsolicited messages and account requests that reference personal data.
What developers and users should do
Anyone who attended a Roblox Developers Conference between 2017 and 2020 or who suspects their information might appear in the leak should check their email and other accounts for unexpected messages. It was recommended to search accounts on haveibeenpwned, enable two-factor authentication on all important accounts, and monitor bank and payment activity for unusual transactions. Changing account passwords to unique phrases and being suspicious of messages that reference personal details will help reduce risk.
This incident is a reminder that data collected at events can persist long after the conference ends. For context on how breaches have affected other developers and studios, see our earlier coverage of GSC Game World Addresses Security Breach and Information Leak of S.T.A.L.K.E.R. 2, which described another high-profile compromise.
Follow us on X, Bluesky, YouTube, Instagram and tell us what you think in the comments.
