Maybe he got it from a localscript who references a modulescript and he used the modulescript to access the script?
I think md scripts have the same principal as server scripts
There are several threads about this. They always go the same way 
- OP says an exploiter hacked their game
- People say that’s impossible
- OP says it’s possible
- OP finds out they had a backdoor or an untrustworthy developer.
So, if its really a server script – i.e. actually in ServerScriptService and not in ReplicatedStorage – you must have a backdoor, or someone else leaked it, or someone knows your ROBLOX password.
It is completely impossible for things in ServerScriptService or ServerStorage to be obtained by the client, as they never leave ROBLOX’s servers. Without access to your ROBLOX account, they would have to literally hack into enterprise-grade datacenters to find them (and if they can do that they have better things to do).
Things that are “easy” for a person to actually get the source for (within limits – for example the variable names of scripts aren’t sent) have to be in Workspace/ReplicatedStorage/any other replicated service.
Regarding your most recent reply: No, you cannot get to the server-side Script from a ModuleScript loaded on the client.
ModuleScripts are copied and sent to the client. If the client and the server require() the same ModuleScript, they actually don’t. It’s just the same code duplicated for each one.
@bootsareme Try enabling FilteringEnabled
More Info: Workspace | Documentation - Roblox Creator Hub
EDIT: THIS IS ONLY FOR GAMES, SORRY
So you are saying if they got the server script through the client they must have physically hopped the fence at one of the Roblox data centers right?
1 Like
I’m saying they didn’t get the server script through the client.
But no, they wouldn’t need to physically be there. The servers are connected to the internet. That’s irrelevant though, because like I said, the skills needed to do that require levels of technical competence that some random ROBLOX player who steals passwords with phishing PMs and thinks they’re Mr. Robot just doesn’t have.
They didn’t hack anything. They stole your account, you have a backdoor, or your game was leaked by someone who was working on it. Those are the only possibilities. You’re posting here, so your account probably wasn’t stolen at least.
My account wasn’t stolen and no backdoors, so yeah, because my game had no free models, everything was forged by me. Perhaps, my password got brute force guessed?
Could be. Change your password (or even get a password manager) and don’t worry about it unless it happens again.
If you sign out of all sessions the cookie should become invalidated making it useless.
I heard exploiters can hack through cookies? I know they store data but I am not validating it to any website I never go to free robux website etc. no free admin, I only go to developer.roblox.com, roblox.com, and devforum.roblox.com.
Yes, as I stated right here, the cookie would be reset and a new one would take its place.
Regular server script permission is all that is needed for someone with backdoor access to move or clone everything from ServerScriptService into ReplicatedStorage or Workspace.
@EmilyBendsSpace That won’t be able to do anything for the client because server scripts don’t get compiled on the client
I guess the OP should clarify what he means by “server scripts”: are we talking just about a Script, or about the game’s server code, majority of which is normally in ModuleScript instances in most games. The latter can definitely be replicated to the client and stolen. Lots of top games only have one actual Script instance that just calls require on a top-level ModuleScript.
I learned from the hard way, lost my group