News is breaking that the popular gaming platform Roblox has suffered a major data breach, leading to the release of personal information including addresses from those who attended the Roblox Developer Conference between 2017-2020.
The website haveibeenpwned reported that 3,943 accounts were compromised, with the original date of the breach being December 18, 2020, and the information becoming public on July 18, 2023, despite the company’s assurances that it will remain vigilant in monitoring and vetting the company’s cyberposture.
Roblox is aware of a third-party security issue involving unauthorized access to some personal information within the creator community. They have enlisted outside specialists to aid their information security team’s investigation. Those affected will receive an email detailing the support measures the company will implement.
The potential ramifications for those affected include identity theft and scams due to the significant volume of data involved. Roblox has not provided further updates, and the full extent of the consequences may take time to emerge.
Sam Humphries, Head of Security Strategy, EMEA, Exabeam
“It’s important to remember that adversaries will always go for the path of least resistance to meet their end goal. In this incident, threat actors released the personal information of those attending the Roblox Developer Conference. Attendees likely included developers, engineers, and security professionals who have access to sensitive data on their companies’ networks. The threat actors who conducted the attack were likely not going after Roblox, but the personal accounts and workplaces of those who attended the conference. Rather than attack each organization individually, the adversary probably figured it would be easier to break through Roblox, particularly because this isn’t the company’s first data leak incident.
For any organization that had representatives attending the conference, it’s critical to have visibility and insights into user activities to detect anomalies, investigate, and then mitigate any abnormal behavior. To reduce the chance of unauthorized third-party access, which Roblox confirmed contributed to the release, I would encourage organizations to create a vendor risk management plan, thoroughly vet third parties, and require accountability to remain vigilant and align to best cybersecurity practices such as strong password management. The individuals impacted should also keep a very close eye out for abnormal activities across their personal email and bank accounts.”
Amit Shaked, CEO and Co-Founder, Laminar
“According to the website haveibeenpwned.com, the original breach date for this incident with Roblox was late 2020, with the compromise only coming to light a few days ago. Roblox was likely unaware that the data still existed on its network, which might have caused the long delay in detection.
Roblox is not alone. Unknown, or “shadow” data has become a concern for 93% of data security and governance professionals today, and is a driving force leading to three-in-four organizations experiencing a cloud data breach over the last year. Shadow data can occur when legacy data isn’t deleted, copied data lives in test environments, data gets misplaced in buckets, or orphaned backups, which might have been what happened for Roblox, are left stale.
It’s important that organizations have automated monitoring and control of data, so that security and governance teams have the clarity they need to keep up with today’s fast-paced, cloud environment and avoid similar exposures.”