Recently, one of my developer friends had is account hacked into and his robux drained without him getting any notification. He still does not know how he was hacked. Thankfully he recovered his account, but it happened while he was online, so if he wasn’t it most likely would have been the end for his account.
Here’s the issue: His second step verification code was not triggered, nor did he receive an email for a new login. He didn’t press any suspicious links lately or send anybody any of his personal information lately either. There’s no trace of the hacker except for the high robux purchases done without his knowledge.
Sounds like it’s a family member? It’s not. He never was signed in on any other computer than the one he was using while it happened.
Here’s the catch. The hacker seems to target smaller developers.
Before this, one of his personal friends who was working in studio for a bit got hacked the same way too. No trace. He fortunately was able to recover his account too, but lost all his robux in the same way.
In both instances, their email was not changed immediately, only their password, which they received no notification of. This is only a story that I have received from trusted friends. I’ve heard from other posts on the dev forum of users having their accounts stolen or robux drained lately in the same way. Here is an example of a very similar instance of a user being hacked in a trackless manner.
Shortly before this, my friend had unusual troubles with his studio, where everytime he loads it up it would cause all his parts to be unanchored/ displaced. Could this potentially be linked to the hack?
How are we supposed to defend against an account hacking method that leaves no trace and completely disables second step notification. Is this an act of cookie logging? How could their cookies get stolen?
Me and him have a theory that there is some kind of malicious studio plug-in that is able to hack your accounts and detect if they have robux.
Is this a form of cookie logging?
I am asking for any advice on how to stay safe or the potential cause of these acts. This is a SERIOUS issue
[EDIT] - 2023-09-04 -
Turns out, both me and my friend’s account was attacked by a cookie logging virus. Most likely installed by an chrome extension by the names of Ro-search. DO NOT INSTALL OR USE THIS CHROME EXTENSION. IT IS A VIRUS.
This extension became pretty popular on the chrome web store around 2022, and shortly after it’s popularity it became known that it had a virus that it could install on your computer. After this knowledge, I uninstalled the extension on Chrome, but didn’t realise it was still installed on Bing browser.
The virus inside this extension is what attacked both me and my friend nearly at the same time just around a week ago.
This virus would crash Microsoft Defender when I tried to scan for it, ultimately resulting in me having to reset my laptop. My friend reset his device too, and the virus didn’t survive.
Since there is some mis-information or not much knowledge on how to deal with cookie loggers like these, let me tell you what we have found out. I also want to say a big thank you to hihi250. He really saved me and my friend with his ultimately invaluable knowledge on the subject…
How to get a cookie logger out of your account, steps and suggestions:
-
Cookie loggers are a kind of way to hack into accounts by fooling roblox into thinking it’s your computer signing your account in. They steal your local security cookie saved on your computer. This cookie can bypass all account sign in security.
-
If the cookie logger can’t get access to the internet, it can not attack your account. If you are being attacked, you can turn off your Wi-Fi or completely shut off your device that is suspected to have the virus.
-
The only way to remove your cookie is to log out manually, changing your password, or click the Log Out Of All Other Sessions button. Resetting your cookies on your browser simply makes your browser forget the cookie exists on your computer, and by logging in, you could create multiple cookies.
Steps:
-
Change your account password. This signs you out off all other devices and can end the attack entirely.
-
enable a security PIN. Settings > Parental Controls > Parent PIN. This stops most cookie loggers/ hackers from being able to change any of your account settings and password. Don’t forget the PIN, it can be hard to disable it. Treat it like your password. Some cookie loggers can still get access to this pin, usually by detecting when you unlock your account. If you suspect you have a virus on a device, do not unlock your pin on it.
-
Check where you’re logged in. Settings > Security > Where You’re Logged In. After you change your password, you shouldn’t be logged in anywhere else except for your device. If you are logged in somewhere else, even if the location is the same, it most likely means you have a virus on your device.
-
Uninstall all browser extensions on your browser. Most cookie logger viruses come from roblox extensions.
-
If you have a virus, log into another device that you know doesn’t have a virus, such as a phone or old tablet. Disconnect the infected device from the internet, or power OFF. It can’t be sleeping. On the safe device, click “Log Out Of All Other Sessions” under the where you’re logged in page. Reset your password again.
-
Keep your roblox account on only one device for the time being. Do not connect the device with the virus to the internet or use any form of roblox on it. Try and use your anti virus to remove this, but if you can’t, it’s best to reset the device. Your device has a virus, which could most likely do more than steal your roblox account. It could steal your email, bank information, files, identity, and completely disable your device.
This is what I did and it completely saved my account. Feel free to repeat any steps if you are unsure about them, and make sure to keep track on where you are logged in. Hackers/ cookie loggers can copy your location, so don’t always trust the location. If you have two log ins for the same device, then it most likely is a hacker.