My account got caught with at least a few others in some kind of security breach on the 29th/30th, mostly targeting very old accounts. Items were shuffled between the accounts to create confusion, before being very quickly sold (Speaking of which, I’d like to speak to staff about how these items are being sold).
Everyone caught in the security breach seems to have noticed very quickly, since BC (and therefore active) users were targeted, but once you have the password of an account without two-factor authentication you have no limits since there’s no sanity-checks on what you do.
I and no doubt everyone else involved now have two-factor authentication and a new password, but if there was a way to give users time to notice then they could beef up security before anything bad happens.
An email notification for each new device login and email approval required for questionable trades/purchases would be a good solution.
“Questionable trades/purchases” means anything that would take you over 500 Robux lost in that day on non-ROBLOX items or in trades you lose in. That should almost never happen, the only people who ever do that are developers paying people or kids who are way too prone to in-game-purchases.
Steam has insanely high security for trading items, and while I do think it’s a little over-the-top (having to confirm through a phone app instead of through email if you want to trade a $1 item without a 24-hour delay), Roblox has many accounts with hundreds/thousands of dollars worth of tradable items and it has no security beyond optional two-factor authentication during logins which many users don’t even use because they’re using their parent’s email.