Accounts with an unverified email appear in emailed one-time codes

I recently had to sign into my phone using this method due to the main method refusing to work.

When I go to select my main Roblox account, a not very SFW account that I have never heard of shows up.

Curious, I decide to let myself into this account on a private window to find its using my email address unverified.

I hypothesise that for accounts that have a verified email which then attempt to use a new email, this wont work

Expected behavior

Accounts with unverified email addresses should not appear here, its a security loophole waiting to happen.

Note: While a private message was sent, its no longer applicable because the situation changed

3 Likes

Thanks for the report! We’ll follow up when we have an update for you.