Any way to keep my robux safe?

Help and Feedback Platform Usage Support
#3

Literally just set a secure password, verify an email and phone number and don’t click on obviously fake urls or download suspicious files. With all the ridiculously long pending stages and delays roblox has added for transferring any kinds of funds this really shouldn’t be an issue.

If you’re really worried about it set an account pin and verify your ID and set up authenticator as well.
99% of the time someone gets their account breached its their fault for clicking an obviously fake link “r0bl00x .com” or opening a file.

1 Like
#4

The best way is just to not trust any links that you do not know. For example if someone says there is a link and it’s to a Roblox game I will ensure Roblox owns the domain that they have linked.

1 Like
#5

Hello There!

I highly suggest if your account is managing your important games/groups, is to have 2FA enabled. This is the most simplest way to keep your account secure. Even though someone would obtain your username and password, they still have to get through entering a 2FA code that is only sent to your email inbox.

Other simple ways to keep your account safe is…

  1. Make a good, strong password that’s at least 6 characters.
  2. Make different passwords for all of your accounts.
  3. Verify your account with an email and phone number for strong recovery of your account with ROBLOX Support.
  4. Make a pin that is needed to edit settings. This pin would be so a hacker can’t change ANY account info, most importantly, your password, email, or phone number connected to your account.

The most used way that people fall victim to getting hacked is clicking or going on websites that are really sketchy. And even if a site doesn’t look all sketchy, if it ever asks to input account information for something that isn’t for the website at all, don’t do it and immediately tab out.

Be safe out there!

3 Likes
#6

First, download your email’s authenticator app. It’ll simultaneously generate 6-digit codes that you can use to log into your account. If you use a Google Email, then you’ve got it easy, since I know where to direct you: First, go to myaccount.google.com, go to the security tab, add a recovery email such as a parent’s email, download the Authenticator app, and set up so many other things, I think. Having Dev Exed over five times, I’ve never got hacked by setting my account up this way.

Also, I don’t want to add this in that paragraph somewhere but go to your Roblox settings too. Go to the security tab, and explore that too!

2 Likes
#7

Have an extremely long and randomly generated password, stored in a password saver. Have a pin enabled. Make sure the email attached to your account is secure with 2FA. Have 2FA via Authenticator turned on. Use an app such as Google Authenticator or Microsoft Authenticator. Don’t click on suspicious links, don’t paste code into your browser, and be cautious when anything seems too good to be true. Follow this guide and I guarantee you won’t get hacked.

2 Likes
#8

I’m pretty sure you can’t cookie log anymore

1 Like
#9

It is harder, but I have seen exploiters bypass Roblox’s efforts to prevent cookie logging.

1 Like
#10

I don’t like how people spread misinformation by saying “don’t click on any link” because it is not like bad actors can manipulate the content or the code that is executed on a backend when you interact with an endpoint. For example how urls work is that they are made out of a domain and eventually a subdomain followed by a path. An example of a domain is roblox.com, google.com, those can only be operated by roblox and Google therefore they cannot deliver bad content or run malicious code to steal your account. From there comes the fact that every subdomain is perfectly fine because it is under roblox.com for example apis like games.roblox.com

If we want to be extremely precise and cautious here you can do whois lookups to see who owns a domain and understand if it’s a trusted company/user or not.

You should of course not just go around clicking random links etc but you must also be aware of simple concepts on how the internet works if we want to say it like that.

1 Like
#11

A long and secure password when getting cookie logged does nothing, they can bypass your 2FA and password.

#12

An user cannot get your cookies if you don’t access any of malicious sites, that includes if you have a very secure password which has a very big series of random characters and a long password. Check the 2nd step verification along with your auth app on your phone (Hackers won’t be able to access your phone easily). Put a pin password (Any changes over your account will be denied by the roblox system if they don’t know the pin). For short, check any security wall setting in your account to ensure the full safety.

#13

Forgot to mention, check this website cookie logs hyperlink

#14

Yes, I know, but having a long password is still a good idea if someone wanted to brute force into your account.

#15

It still is possible with on-coming fake websites pretending to be roblox, these sites can include links like this: website.api.roblox.com which is pretending to be the website API on roblox, you might actually click on a link like this. Obviously this link isn’t real. Despite their efforts it will never be possible to stop cookie loggers from ending their scam streak, as they can just hire java and/or create java script, which will again be (probably) updated to scam a users cookie, and then with this cookie the user (that has stolen your cookie) can bypass 2FA and your password interface while logging in, therefore having no problem to steal and exploit your account and even completely reset everything on your account, this also can go so far that the user (that scammed your cookie) can (after taking everything from you that you have on your account) delete your account permantely (as often cookie logs even include your security pin in the settings) change email, password, phone, etc… with that they can just reques account deletion on the roblox support page.

#16

After brute forcing for a while the roblox api will detect that and (maybe) kick you off the website and/or give you the impossible captchas. Like you can’t do anything about those captchas.

#17

I’ve seen a lot of comments here about long passwords, with little explanation as to why that protects your account. Here’s a basic crash course on the cybersecurity of password management:

Passwords are easy to generate

Why?

Passwords are strings, which are fundamentally an array of characters.

Being able to procedurally generate a string like that is trivial to a programmer, and is a common brute-force attack.

Attackers can generate a list of strings comprising different characters. That could be from a to z, from 0 to 9, from ~ to ), and any variation therein.

With that in mind, if your password was frog, then an attacker could write a program to iterate from a to z over a span of 4 characters (as the length of the array of characters frog is 4):

REPEAT
    OUTPUT ascii_letter
UNTIL
    ascii_letter FINISH

Their program would output something similar to:

a, b, c, etc…

aa, ab, ac, etc…

aaa, aab, … and you get the idea.

With that in mind, how easy is it for an attacker to try every password?

Well, let’s say hypothetically that you have a 4 character long password, comprising only letters in the Latin alphabet.

  • There are 26 characters in the Latin alphabet.

  • There are 2 cases (upper & lower).

  • Therefore, each letter must be one of 52 possible characters, ranging from aA to zZ.

  • The maximum number of combinations that your password can be is 52 * 4, each character being one of a possible 52.

Therefore, there are 7311616 possible combinations.

That sounds like a lot, but a quick (unoptimised) program I just wrote & ran calculated all the possible combinations in 18 seconds.

Passwords are easy to guess

Why?

The above program isn’t very practical to an attacker. It might work fine for an account that uses 1234 as a password, but beyond that, it’ll take time and resources to crack a 16 character long password (especially if it has a mix of ASCII letters, integers and special characters), and you can bet your bottom dollar that your account won’t be the only one they’re interested in accessing.

With that in mind, the cornerstone of cybersecurity is:

You shouldn’t be trying to stop the attacker; you should be trying to raise the cost to the attacker.

… where cost is the time, money or resources the attacker values.

Going back to our frog example password: logically, someone who wanted to gain access to your account would iterate through the words in a dictionary first. Maybe your favourite word is frog, and you happen to have that in your ROBLOX bio. It makes sense that an attacker would pull words like that from your socials.

Having a long password like frogsarethebest is not practical if it’s easy to guess.

Equally, ROBLOX has a friends list, which is essentially an address book of all the people who you have met online who could contact you. Even if you had a super-duper strong password that no attacker could ever feasibly get their hands on, it could be easier for them to attack your friend’s account.

In doing so, they could send you a message asking for your security cookie, and thus gain access to your account.

That is called social engineering.

More characters equals more security

Why?

The factors that influence the strength of a password are:

  • Length
  • Character variation (ASCII letters, integers, special characters)
  • Random-ness

A longer password is better because the attacker has to try more characters than a shorter password, therefore you waste their time and resources.

A character varied password is better because the attacker has to try more characters than a password containing one type of character, therefore you waste their time and resources.

A random password is better because the attacker cannot rely on the influence of words (like a favourite pet’s name), therefore you waste their time and resources.

So, going from frog, a password an attacker could crack in 7311616 combinations, let’s try something more secure with all of these in mind.

Let’s make our password:

  • 16 characters long
  • Include letters (uppercase & lowercase)
  • Include integers
  • Include special characters

Let’s say our password is %V4@o7$n$F*T53&4. That matches our criteria.

How many combinations are there that an attacker would potentially have to try before getting our password?

  • There are 26 letters of each case in the Latin alphabet; that’s 52 potential characters.
  • There are 10 potential integers that each character could be. 52 + 10 = 62.
  • There are ~32 special characters on a standard keyboard. 62 + 32 = 94.
  • Therefore each character in our password must be one of 94 possible characters.
  • Our password is therefore one of 94^16 (that’s 94 to the power of 16) combinations.

Our password has 3.715742908×10³¹ possible combinations.

Based on the time my program took earlier: calculating every combination of that password would take 2.117488407×10²¹ days.

TL;DR: Read the last point! :smiley:

Hope this helps.

1 Like
#18

If only that were the case. Not all brute-force attacks are manual, and some don’t include a graphical website at all.

An issue with endpoints is that they’re easy to circumvent.

For instance, Python has a try-catch system implemented in its language (the equivalent of pcall() in Lua), so an attacker could easily instruct their program to wait before trying to access the account again.

That way, even if ROBLOX were to boot their program off (also known as rate-limiting) an endpoint for a while, it won’t stop a program indefinitely.

1 Like
#19

I reported a lot of scammers, and it didn’t worked. They continued to scam other people.

Yes a long password is good but you also need to have a “strange” password, a password that don’t mean anything. I want to say that, even if theses passwords have same numbers of caracters, “NxMkh3DbbnX3@8D3fKD!bK!tjccA!qRQ9d” is more secure than “Ilovemycomputerandthisismypassword”.

People who do that aren’t your friends.

1 Like
#20

that’s not a great example because i’m pretty sure it’s still the roblox.com domain, and im also pretty sure you don’t get hacked by clicking on a link

1 Like
#21

It finish by “roblox.com” so as said @basilio4:

it stay Roblox domain and it’s official.

1 Like
#22

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.