I am posting this on behalf of a friend who cannot post themselves, as their account is currently terminated.
Recently, a close friend of mine had their account (putriduscadavers) provably hacked and stolen by a phishing attack, consequently getting them terminated.
They were actively working with support to reinstate their account’s sensitive information. (The attacker altered emails, passwords, etc.) Account valuables were also stolen. Support communication has stopped for now a few days, and they are growing worried over the 30-day appeal period, which is why I am posting the bug report.
As far as I am aware, they were able to recover the main email to the account after proving their identity, and were told by support that the 2FA was removed so they could begin recovery.
As of a few days ago, they attempted to recover their account and are now stuck in a bug/loophole. Staff did not disable 2FA, and when they are told to input the temporary code (sent to the now recovered email), they are looped through the ‘Roblox Recovery’ process, (Inputting their username, the email associated, receiving the verification code, inputting the code, being told to once again go through 2FA?) This results in them looping through the 2FA process endlessly. They learned through a separately banned-by-proxy alt account that the account putriduscadavers was terminated due to ‘severe violations’. Neither of us know the true reason behind the termination, or what actions were taken while the account was hacked. After figuring this bit out, they contacted appeals.
Edit : More specially, support claimed to remove 2-SV with Authenticator. Regardless, despite having access to a security code, they are still being looped, and unable to recover the account impacted.
They believe 2FA is attempting to reach a now defunct, past email under the account’s original registry, which is not possible, and not what the account is (now) verified under, resulting in this loop. (This is what they assume.)
They are still awaiting a response to prior tickets made. They also responded to the email informing them 2FA was disabled, explaining the situation. There has been no answer yet.
My friend is willing (and has already provided some) verifiable proof. They also have the relevant emails documented from the attackers’ account alterations. They are able to provide more if need be, but this account is extremely dear to them, and they are afraid of support ignoring their tickets.
I have written this on their behalf, as they cannot currently access Devforum. If their situation can be reviewed or resolved, I would be extremely grateful.
Expected behavior
Expected behavior would be having 2FA removed, or at least allowed access to the account’s recovery after putting in the temporary code.
A private message is associated with this bug report