Issue: My Roblox game has been severely affected by persistent exploiters for several years. Despite developing an effective anticheat system and implementing a one-month account age minimum, the problem persists. The root cause stems from exploiters using a Roblox account farming service, allowing them to quickly obtain new accounts for exploitation even after being banned. This service appears to exploit old and vulnerable Roblox accounts by storing their passwords, making it easy for exploiters to re-enter the game almost immediately.
Additionally, exploiters can easily find limitations and weaknesses in my anticheat system because they can rapidly obtain new and older accounts to test and bypass these measures. This cycle of continuously acquiring new accounts to identify and exploit anticheat vulnerabilities further undermines the security and integrity of my game.
As a developer, this is extremely discouraging. The constant battle against exploiters who can so easily return to the game despite my best efforts makes it challenging to maintain a fair and enjoyable environment for my players.
Proposal: To address this issue, I request the addition of a mandatory verification process for Roblox accounts. This enhanced verification would ensure that vulnerable accounts are more difficult to access and use for exploitation. While it is widely known that exploiting is a significant issue on Roblox, the ease with which new accounts can be created and used for malicious activities is a more pressing concern. Implementing stronger verification measures would significantly reduce the impact of exploiters and improve the overall gaming experience.
After looking into this matter, I’ve learned that Roblox is aware of the issue and, if my information is accurate, could address it but chooses not to. The reason seems to be that the extra accounts are favorable to shareholders and investors. However, they should take action, as it’s nearly impossible to develop a game on Roblox now due to the lack of effective anti-cheat measures or banning systems. This is a significant concern that needs resolution.
Is there a reason why the Player:IsVerified() function doesn’t help with your use-case? You should keep in mind that you shouldn’t be gating gameplay entirely behind this function though and should retain a way for unverified users to play normally as-per the documentation.
If I implemented this, it would likely result in excluding many regular players. The situation would be different if Roblox enhanced their account security. If I enforced this as a requirement, players might switch to a different game. However, if Roblox made it mandatory, players would comply and instantly fix the root of the problem.
As I, and the documentation mentioned; you shouldn’t lock out regular players anyway. I assume the ideal flow here would probably be to reserve the API for competitive game-modes within your experience and still provide regular players with a way to progress without needing to verify; perhaps just through normal game-play.
However, I can only assume many games would not benefit from extra requirements to join all games on the platform. Some developers may wish to still allow unverified players to join because a large majority of their player-base may be not “Roblox veterans” and just want to create an account and join in quickly. Adding a verification system requirment unfortunately makes it more difficult to do so and adds friction to the entire process; making Roblox games a bit less attractive to who are generally non-Roblox players.
So you want to block access to players who are unable to verify from the whole PLATFORM just so your game can be more secure without losing many players?
I’m not sure what your proposal is then, you first suggested I use this feature to catch these farmed accounts but are suggesting that I don’t use it as well? I’m confused. There are no competitive game modes, I have a open world ant survival game.
If roblox has the ability to and refuses to do anything in order to look better to shareholders, this is unethical and a big issue to me as they are purposefully sabotaging their player experiences for the sake of a higher account number.
I’m struggling to see how sustaining a game on Roblox is feasible. Here’s the dilemma:
Players discover a game they enjoy and think, “I want to exploit this to gain currency” or whatever their motivation might be.
The anti-cheat system detects this behavior and bans the player. Normally, they would move on and find a new game. However, that’s not the case here because they can simply create/obtain a new account and repeatedly test the anti-cheat system until they find a way to bypass it.
In my case, it becomes an even greater issue when they decide to freely outsource their cheat, this happens in every single roblox game.
I don’t think the answer to fixing this issue is preventing people who cannot verify from accessing the entire platform and playing their favorite games. Exploiters will just buy alts with pre-verified emails.
Just curious, what is your game about and how are these exploiters ruining the experience for other players? About how many exploiters/alts do you notice a day?
I’ve spent the past year learning how to prevent exploits. I have implemented a robust anti-cheat system and a dedicated staff team to manually ban exploiters. The issue is what I have mentioned, they are able to easily get past roblox bans and find new accounts to test any anticheat updates on. However, if there’s something more that can be done, I’d love to know, as I still don’t see a way to sustain a Roblox game.
My game is an open-world ant survival game, where players manage ant colonies and control special insects to fight each other. The game has large servers, which have attracted significant popularity, especially among exploiters who enjoy feeling overpowered and in control. The main issue has been players teleporting around and killing everyone instantly. Although I’ve added multiple layers of protection, completely detecting and preventing this behavior is challenging. Exploiters can always move their characters slower to avoid detection. Server-sided detection for teleporting and speeding also doesn’t work well due to latency issues, leading to numerous false positives. There is really no way of detecting if a player teleports up to someone, bites them, teleports out of distance, and repeats until the kill entire servers for hours all out of fun.
To make my stance abundantly clear, my fellow developers and I feel very let down by Roblox. We shouldn’t have to learn all these technicalities just to make games. While I understand that a free-to-play platform attracts more players and makes security harder, Roblox really needs to step up their game and provide better support for developers. It’s very discouraging I feel like I can’t make anything on this platform.
Roblox has taken two stabs at this to no avail. Hopefully the third time is a charm, especially with investor pressure on their daily account user metrics. A lot of analysts feel like Roblox’s measure of how they count active users is 20-30% inflated because of how many exploiters and botters play the game.
You’re not alone in this, OP. Something has to change.
Just check if the player owns the verified plaidified hat or whatever it was. That’s the bare minimum for authentication/verification, anyone who’s intending to use their account for more than 5 minutes would have it.
The problem isn’t with people creating new accounts, as I have a minimum account age requirement of one month. The issue lies with account farming services. These services allow users to click a button and receive login information for unprotected accounts. There is no way for me to detect this, as these accounts are usually a few years old, have been played on, but were subsequently abandoned. The issue is that these accounts lack security, making it easy for users to log in, obtain new accounts, and repeat the process in a matter of seconds.
Exploiters have been a major problem on Roblox for so long. Games like Natural Disaster Survival have sometimes become unplayable due to the abundance of exploiters. I made a game with friends when streaming to them on Discord where we try to last in a server for 10 minutes without an exploiter and see who can do it first. Going through ~10 servers before I see a server without an exploiter is genuinely baffling.
The problem that I see is not that people can just easily create new accounts, but the lack of prevention in the first place. I do think that Roblox should require a verified email by default, but I don’t think we need anything further than that. Heavy restrictions to the average user are not the best way of handling it even if it will help. It’s a double-edged sword solution. Instead, Roblox should be focusing a lot more on ensuring there is more prevention to combat exploits instead of focusing on account creation.
I also see that it is sad that we have to rely on something like Chickynoid, even if it’s a well-made system to combat it that I do recommend using for the time being. Roblox needs to focus on working with first-party solutions like native server-authority characters instead of relying on third-party solutions. I do know Roblox has it on the roadmap, but I see Roblox focusing more on other things.
The ban API is a good step in the right direction, but it requires the developer to actively add bad actors to the ban list. Preventing exploits is more important than stopping exploits already happening. Once your experience is ruined by exploiters, there is no way to get it back. The best thing we can do for now is create your own anti-cheat systems.
Also, I hate people saying to not bother with making your own client-sided anti-cheats. It’s okay to have a client-sided anti-cheat in your game as it can deter most exploiters as they most likely just got the script off a random website. A server-sided anti-cheat should be mainly used for picking up the pieces that the client-sided anti-cheat misses in case the client-sided anti-cheat is bypassed or if something isn’t detected. Client-sided anti-cheats are like locks; we use them for security despite them being able to be lockpicked, but not everyone knows how to do that or will try to learn how to. Having no lock at all or having your door wide open is inviting people to just come right inside.
It is impossible to stop exploits permanently. It’s a constant cat-and-mouse game. The only thing we can do is ensure there is a way to stop most of them and then try to get rid of the rest through bans or other punishments
They’ve really been dropping the ball, in my opinion.
One thing they should consider is integrating Guilded into Roblox, so each group can function as a community directly within Roblox, complete with ranks, chats, privileges, and so on, rather than depending on a separate app. This would make identities directly linked to roblox accounts which would be nice for moderation. It’s promising that they plan to let certain ranks use the ban panel, would be a help to have mods not have to enter servers just to ban people, but that’s still months away. Time and again, I’m left bewildered by their focus on aspects like character customization and manipulations, when there are clearly more pressing improvements needed. With such a big team and resources, I’m often left wondering “what in the world are they doing” the simplest things take way too long.