How do I Defend Against Traceless Account Hacking Method / Cookie Logging?

Recently, one of my developer friends had is account hacked into and his robux drained without him getting any notification. He still does not know how he was hacked. Thankfully he recovered his account, but it happened while he was online, so if he wasn’t it most likely would have been the end for his account.
Here’s the issue: His second step verification code was not triggered, nor did he receive an email for a new login. He didn’t press any suspicious links lately or send anybody any of his personal information lately either. There’s no trace of the hacker except for the high robux purchases done without his knowledge.
Sounds like it’s a family member? It’s not. He never was signed in on any other computer than the one he was using while it happened.
Here’s the catch. The hacker seems to target smaller developers.
Before this, one of his personal friends who was working in studio for a bit got hacked the same way too. No trace. He fortunately was able to recover his account too, but lost all his robux in the same way.
In both instances, their email was not changed immediately, only their password, which they received no notification of. This is only a story that I have received from trusted friends. I’ve heard from other posts on the dev forum of users having their accounts stolen or robux drained lately in the same way. Here is an example of a very similar instance of a user being hacked in a trackless manner.

Shortly before this, my friend had unusual troubles with his studio, where everytime he loads it up it would cause all his parts to be unanchored/ displaced. Could this potentially be linked to the hack?

How are we supposed to defend against an account hacking method that leaves no trace and completely disables second step notification. Is this an act of cookie logging? How could their cookies get stolen?

Me and him have a theory that there is some kind of malicious studio plug-in that is able to hack your accounts and detect if they have robux.
Is this a form of cookie logging?

I am asking for any advice on how to stay safe or the potential cause of these acts. This is a SERIOUS issue

[EDIT] - 2023-09-04 -
Turns out, both me and my friend’s account was attacked by a cookie logging virus. Most likely installed by an chrome extension by the names of Ro-search. DO NOT INSTALL OR USE THIS CHROME EXTENSION. IT IS A VIRUS.

This extension became pretty popular on the chrome web store around 2022, and shortly after it’s popularity it became known that it had a virus that it could install on your computer. After this knowledge, I uninstalled the extension on Chrome, but didn’t realise it was still installed on Bing browser.

The virus inside this extension is what attacked both me and my friend nearly at the same time just around a week ago.
This virus would crash Microsoft Defender when I tried to scan for it, ultimately resulting in me having to reset my laptop. My friend reset his device too, and the virus didn’t survive.

Since there is some mis-information or not much knowledge on how to deal with cookie loggers like these, let me tell you what we have found out. I also want to say a big thank you to hihi250. He really saved me and my friend with his ultimately invaluable knowledge on the subject…

How to get a cookie logger out of your account, steps and suggestions:

• Cookie loggers are a kind of way to hack into accounts by fooling roblox into thinking it’s your computer signing your account in. They steal your local security cookie saved on your computer. This cookie can bypass all account sign in security.

• If the cookie logger can’t get access to the internet, it can not attack your account. If you are being attacked, you can turn off your Wi-Fi or completely shut off your device that is suspected to have the virus.

• The only way to remove your cookie is to log out manually, changing your password, or click the Log Out Of All Other Sessions button. Resetting your cookies on your browser simply makes your browser forget the cookie exists on your computer, and by logging in, you could create multiple cookies.

Steps:

1. Change your account password. This signs you out off all other devices and can end the attack entirely.

2. enable a security PIN. Settings > Parental Controls > Parent PIN. This stops most cookie loggers/ hackers from being able to change any of your account settings and password. Don’t forget the PIN, it can be hard to disable it. Treat it like your password. Some cookie loggers can still get access to this pin, usually by detecting when you unlock your account. If you suspect you have a virus on a device, do not unlock your pin on it.

3. Check where you’re logged in. Settings > Security > Where You’re Logged In. After you change your password, you shouldn’t be logged in anywhere else except for your device. If you are logged in somewhere else, even if the location is the same, it most likely means you have a virus on your device.

4. Uninstall all browser extensions on your browser. Most cookie logger viruses come from roblox extensions.

5. If you have a virus, log into another device that you know doesn’t have a virus, such as a phone or old tablet. Disconnect the infected device from the internet, or power OFF. It can’t be sleeping. On the safe device, click “Log Out Of All Other Sessions” under the where you’re logged in page. Reset your password again.

6. Keep your roblox account on only one device for the time being. Do not connect the device with the virus to the internet or use any form of roblox on it. Try and use your anti virus to remove this, but if you can’t, it’s best to reset the device. Your device has a virus, which could most likely do more than steal your roblox account. It could steal your email, bank information, files, identity, and completely disable your device.

This is what I did and it completely saved my account. Feel free to repeat any steps if you are unsure about them, and make sure to keep track on where you are logged in. Hackers/ cookie loggers can copy your location, so don’t always trust the location. If you have two log ins for the same device, then it most likely is a hacker.

Based on what you’ve described, this definitely happened because their Roblosecurity token was used to authorize requests on their behalf. Your Roblosecurity is a hash generated when you log in that is stored locally in a cookie and is linked to your account. That way, when you’re sending a request that requires you to authenticate yourself, the cookie is carried along with your request and shows the server who you are (without having to log in every time).

Using it directly to access someone’s account will obviously bypass 2-step verification — as I mentioned, the purpose of it is to prevent you from having to log in every request. The cookie is stored locally, and only ever transmitted to Roblox over HTTPS, which means it was probably stolen. It doesn’t have to leave a trace because the cookie is supposed to be tied to your computer and you’ve already proven it’s you by logging in. It’s up to you to protect it.

I’d recommend telling your friend to uninstall any extensions that need to access roblox.com and possibly check for malware.

The only extensions he had were the official RoPro and BTR roblox, which are known to be trusted extensions. He also hasn’t downloaded anything recently. If this is a case of “cookie logging” then in what are the ways your cookies can be stolen so you can further protect your cookies? Can you disable them? Does logging out of your browser each time you are done using roblox prevent it from being hacked in this way?

I don’t know your friend’s situation so I can’t tell you what happened. I assume it was logged by an extension or malware, but there are a few other possibilities, like:

• Someone had access to their computer and manually copied it
• Their requests were logged by an insecure, malicious WiFi network (unlikely, since Roblox uses HTTPS everywhere)
• A phishing attempt where someone tricked your friend into giving them their cookie

There aren’t very many other options. It’s nearly impossible to log requests in between the client and the server since all Roblox endpoints are encrypted. This means that it’s nearly guaranteed to have happened locally.

Cookie-logging extensions and malware are pretty common, so just because they haven’t downloaded anything recently does not mean that something isn’t running in the background and stealing their cookies.

There’s not much you can do to protect your cookies other than making sure you don’t download malicious extensions or software. Since the cookie has to be sent along with requests, anyone or anything with access to your computer can read your cookies.

You can’t disable them if you want to use Roblox. Your Roblosecurity cookie is how all requests are authenticated.

Logging out of your browser when you’re done using Roblox will prevent your Roblox cookies from being stolen when you’re logged out. However, if it’s a malicious piece of software, it will simply steal the cookie while you’re logged in. If you’re concerned another person physically has access to your device, then logging out when you’re done should stop them.

That’s good that you can’t be hacked if you are logged out by this method. I’ve been using firefox and I’ve just enabled a feature that resets all cookies when you close the tab, making it so I have to log in every time I open up roblox. Is this a valid form to potentially stop all forms of cookie logging, or is it pointless as I could be cookie logged while online? It is quite annoying to have to sign in every time, but, I suspect being hacked while you are there to take action is a much better circumstance to be in then while you are sleeping and such.

It depends. I suppose it adds an extra layer of security, but, again, if you have malicious software installed, it will log the cookie and often steal all your Robux/limiteds in a few seconds. This obviously won’t happen when you’ve signed out, but it’ll just steal it whenever you’re logged in.

There’s almost nothing you can do to prevent this from happening aside from not giving anything access to the cookie in the first place.

Also, just signing out will not reset your Roblosecurity on the server. I think you need to click the “Log out of all sessions” button in order for it to be reset. So even if you log out locally, someone who stole your cookie previously will still be able to use it until you actually click the session logout button.

In my opinion, it seems overkill and most likely won’t change anything, but it does add another layer of protection.

So signing out doesn’t reset the cookie? What if I were only signed in on one device, and logged out normally? Would my cookie be reset then? Also, I probably will keep my cookies eraser on my browser, as if I were to lose robux thats one thing, but to lose your entire account is another… Yet I’m wondering does an account pin almost entirely stop this instead of a cookie eraser? If my account was cookie logged then I’d lose my robux even if I was there or not, but can the cookie bypass the roblox account settings pin? According to the person in the post I linked, their account settings pin was disabled when they were hacked. How is this possible with a simple sign in cookie? Does the roblox account pin feature have a cookie that malware can access, too? Sorry for bombarding you with questions. This is quite an interesting topic and you seem to know a lot about it.

UPDATE AS I SPEAK. My friend has just been cookie logged again and potentially I have too
He just was kicked out of his account but was able to sign back in by resetting password. Even though earlier I had him reset his cookies. I’ve also just noticed I have a ton of new sign ins as I am typing this, just reset them even tho my firefox browser should have been. He found a ton of new sign ins to. Resetting the cookies on our browsers isn’t working. I havent downloaded anything lately nor do I have any plug ins. There is some kind of virus and it is spreading.

What is our solution. Should we uninstall our browsers and just keep roblox on mobile? We can’t get the cookie loggers out.

I don’t know. I think the token can only be reset if you click the session logout button.

No, your account PIN is a separate thing and even if authenticated requests are sent to change your settings, your PIN still has to be unlocked. Your Robux (unless in a group) and limiteds will be stolen, but no settings can be changed. It’s important to always have a PIN to prevent this.

However, if you have a malicious extension or malware, attackers can easily get your PIN from the authentication payload when you unlock your settings. It is not encrypted at all. So, if you unlock your settings while something has access to your computer, your PIN can also be stolen.

No one can bypass the account settings PIN without entering it correctly. The attacker may have guessed the PIN or logged it when they stole the cookie.

I don’t believe your PIN is stored locally, but if it is, it would only be when your settings are unlocked. I think it’s only ever stored on the server. Regardless, as I mentioned before, an attacker can just steal it when you enter it in.

Did you click the session logout button at the bottom of your security settings? If they keep gaining access to your accounts then you almost certainly have a malicious extension or malware installed. I can’t help you with that but I recommend you run a virus scan and double-check all your extensions. Until you do that, it might be a good idea to stay logged out on your computer.

If you can’t find anything, resetting your computer would most likely fix it. I don’t know your situation so I’m not going to say to do anything other than double-check everything.

Thank you for the help. This is truly lifesaving, but we have done a scan and it detects nothing, and we uninstalled all chrome extensions hours ago. Will powering off a computer stop the cookie loggers? Does uninstalling a browser stop them? We have signed out of session many times. I think we both have a virus and it is striking now. How can it spread so fast??? My friend has a mac I have a windows. How can a virus switch operating systems? We have no chrome extension.

I don’t know what the problem is, so I can’t tell you what will fix it. But powering off the computer, or even just disconnecting it from the internet, will stop the cookie logger (as long as you turn it off, and not just put it into sleep mode). It could be a program or a browser extension which is stealing the cookie. I can’t help you anymore than suggest what the problem might be.

Thank you for suggestions. My friend is currently resetting his computer. The cookie logger is most likely out. You really saved him! I still am unsure that I had a cookie logging attack too. I have a feeling that my browser resetting the cookies simply just created a new cookie every time I signed in, as the cookie is stored locally so the browser (firefox) couldn’t delete it fully but just didn’t read it again. So, when I went to check my roblox sessions in settings it showed many instances. I have signed out of all other instances and it isn’t coming back. I also had an issue on my phone where I was logged out, suspecting this to be a cookie log too, I changed my password and also signed out all cookies. I do think this signing out could have been a mobile glitch as sometimes you are signed out when you switch IPs, which could have happened.

Keep some details and send them to a staff member on the forum and support. They should get you the money back and ban the exploiter’s account.

You should get someone to see your pc dang.

By the way, logging in may be easy, but purchasing any large items will forcefully require 2FA. I think the money/limiteds should be safe.

I suggest you to reset your pc, i think there is a virus that keeps collecting information and cookies

I have reset my PC, but something stopped the reset process and it’s completely bricked at the moment. I definitely had an attack and I don’t know how I got it. I suspect there’s a vulnerability on the app/browser “dizzy” because shortly after I was helping my friend in DMs on the app and I got it. Microsoft defender also repeatedly crashed when I was doing scans, and my PC started taking a lot longer to open things. As soon as I would connect to wifi it would log me out of my accounts. Thankfully my account is safe again and I can use it on mobile. I haven’t lost anything but my friend had all his robux drained. All I can think is that there was some kind of reverse connection created on my PC to scammers or that theres a really bad and resilient virus.

Viruses can be evil… noescape.exe persists after reinstalling windows.