How to protect your Roblox account: Advanced guide

How to protect your account from getting hacked: A super advanced guide

There are posts about this topic before, I am aware, but these posts are ancient. They also don’t cover topics more advanced than your account. None of them have said that you can recover a deleted ROBLOSECURITY cookie, or that viruses can also steal passwords from AppData folders. Therefore, I present you with a very advanced tutorial on how to protect your Roblox account!

In this post, I will describe all the methods that I use to protect my account from being hacked, no matter how significant or insignificant these appear to be. Some methods are a must-have, whereas some are not that necessary. I will order these in the order of most needed down to abstract methods that you may not really need (abstract methods).

These will be color coded from: Red = 100% Necessary, Yellow = Somewhat necessary, Blue = Not really necessary without extreme circumstances.

COMMON SENSE.
Everyone has this. Do not click on any weird links, or paste scripts anywhere in your browser. Simple and easy. Also, do not visit “free robux” sites.
Also, DO NOT GIVE ANYONE YOUR PASSWORD. Roblox will never ask for your password. Not even Roblox admins!

Also, do not give any .har files to ANYONE, and do not paste stuff in inspect element.

One more tip: Copy and paste the link text into a new tab before viewing it, links can be infected easily but this will stop infected links.

2 Factor Authentication
This is absolutely essential. If you don’t have this on and you’re known at all within Roblox, you’re basically asking to get hacked. Although it’s under settings, Roblox Support can take it from here. https://en.help.roblox.com/hc/en-us/articles/212459863-Add-2-Step-Verification-to-Your-Account will explain how to access 2FA settings and enable it. Note that you must have a verified email first. However, DO NOT ADD YOUR PHONE TO YOUR ROBLOX ACCOUNT. This is because of SIM spoofing being a new hacking tactic.

Password choice
Password choice is also needed. Nowadays, with the immense power of computers, hackers can use brute force attacks to password guess lots of shorter passwords. In fact, an 8 character password can be cracked within under an hour, even if you have symbols and numbers (e.g 73nd8an#). If you are aiming for good security, a 10 character password will suffice (e.g e8c;iq1=Nf would take about 2 months to crack), but a 12 character password is best (e.g beJ9amH'[qu& would take 400,000 years to crack). Also, a good password will also have a mix of uppercase (ABCDEFG), lowercase (abcdefg), numbers (1234567) and symbols (;#.$*^)

IMPORTANT: Use your brain to memorise all passwords. Do not use any password saving service for best security.

Useful tool: https://howsecureismypassword.net/

Account PIN

In the unlikely event of your account getting hacked, an Account PIN stops your settings getting changed. This protects against hackers changing your password, even if they know it.

You can find this just below the “Add 2 Factor Authentication” option in settings.

ROBLOSECURITY cookies
This is simple. DO NOT GIVE ANYONE ANY COOKIES. AND, DO NOT PASTE JAVASCRIPTS INTO YOUR BROWSER. They can bypass 2FA and steal you account instantaneously. If you do fall for this, click Sign out of all sessions immediately, and then change your password. This video explains how to do that: How to sign out of all sessions in Roblox! (2021) (STILL WORKING)!!! - YouTube, and it leads onto my next point.

Sign out of all sessions

Sign out of all sessions is classed as “orange” because it is needed in some cases. If you get hacked, then you need to do this immediately. However, as a more casual countermeasure, you can just click this regularly if you feel like it. Also, do this if you visit a site and then realise it’s a fake Roblox site, or it may steal your cookie. Look above for how to sign out of all sessions.

Deletion of cookies

You can delete cookies to remove easy finding of your ROBLOSECURITY cookie. However, this is far from foolproof. There are better ways to protect yourself, that can avoid this or stack on top of this. Read “Secure deletion of data” (below) and read the next one for better versions of this that I use.

Also, this will only protect if you have dodgy people in the house or a virus on your device. This is not meant to protect against foreign attacks.

Incognito mode
Incognito mode does not keep cookies, so ROBLOSECURITY cookies cannot be found with ease. Therefore, if you are high profile, use incognito whenever you can, which is usually always.

VPN
Use a trustworthy VPN, such as RiseUpVPN, ProtonVPN, ExpressVPN, NordVPN and SurfShark.
This may not do that much against your Roblox account to start with, but it protects against IP grabbers. If an attacker gets your IP, if it’s local they can call your ISP and get info about you. This could eventually lead into social engineering methods, such as engineering Spanish Roblox Support (September 2020).

Email choice

Use an email that nobody knows about. Better yet, make the email just before your Roblox account. This can help massively against Spanish Roblox Support social engineering attacks.

Secure data deletion (passes and stuff)

A lot of files and logs are left on your OS. If one got hold of your device, or put a virus in, then they could extract the files from the %localappdata% folder or the %temp% folder. Not only would you put your Roblox account at risk, but all your other accounts as well! This can also put your cookies at risk, if you deleted your cookies.

You can clear the folder that is %temp% and %localappdata% > Roblox > logs (type %temp% and %localappdata% in the search bar and navigate to the Roblox folder and the Logs if applicable) using a program such as Eraser to prevent anyone seeing those files. It will also speed up your device, as a side bonus. Use the Guttman method (35 passes) if you want to be very safe, however, a 1 pass method will usually be enough. Each pass will overwrite the data previously on the file, making it impossible to read the older data.

If you deleted your cookies, then wipe the empty space on your disk to prevent the cookies from being recovered.

Important: Wiped data CANNOT be recovered with current technology. Although it may be possible with extraordinary advances in magnetic field microscopic technology, it is not possible right now.

More about the Guttman method: Gutmann method - Wikipedia

SIM swapping
@callmehbob was unfortunately, a victim to this (Royale High Dev). SIM cards can be swapped and this is a strange vulnerability to Roblox accounts.

I recommend either not adding a phone number to your Roblox account, or you can use settings to ensure nobody has SIM swapped you. I recommend the first over the latter as well.

Also, SIM swapping can result in much worse things than a Roblox account hack? Bank account hack? Possible. Address leak/dox? Possible, and it could cause a cold boot attack (go down).

Real-world protection

If you have untrustworthy family members, this method is more important than “blue”. You should always remember to close applications, because leaving the app open is actually a major vulnerability in the real world. I use a yellow edge taskbar, because yellow is hard to miss. This will remind me to close apps when not in use.

Also, you can create more desktops in Windows to protect yourself. This tells you how to do this: Multiple desktops in Windows 10, and also, Win+Ctrl+Left/Right Arrow Key will switch desktops as well.

Note that this method only protects against people in the house.

Keylogger

Keyloggers could steal your passwords. These log the keys you tap on your keyboard. However, this is circumventable. You can open up a virtual keyboard to type your password in, or you could see if you could use anti malware to remove (or at least quarantine) the keylogger.

Cold boot attacks?

Although no Roblox account has been hacked with this method yet, one could possibly get hacked if their address is doxxed. If the hacker breaks into your house when you’ve just logged into Roblox, they can spray liquid nitrogen (or other cold substances) to preserve the RAM. This is extremely unlikely, but an easy way to stop this is to look behind you if you’re logging into Roblox or turning off your PC.

Also, staying near your PC for 5 minutes after you’ve turned it off will eliminate any risk of a cold boot attack.

Note: A cold boot attack is EXTREMELY UNLIKELY, and it is much more worthwhile to read above methods first, especially the red ones. Even outside of Roblox, there’s only been a few successful cold boot attacks ever carried out, so this really isn’t anything serious to fear.

Thank you for coming to my TED talk about how to fully secure your Roblox account, as well as reaping some other side benefits.

88 Likes

Great article! :clap:

This will help me, and every other devloper, a bunch! Thanks for making Roblox safer :slight_smile:

8 Likes

nobody really bruteforces accounts anymore but you should probably turn 2fa on for your little dumber sibling (if you have one)

here’s the deal, i can have a 90 thousand character long password but it is useless if i save it in chrome and i’m downloading random executables. some so-called stubs look through your saved passwords, and also wait until you open roblox player/studio and grab your cookie by looking at the command line arguments (fun read). a paper note is more secure, really. bonus

js loggers evolved so much that some actually steal limiteds the moment they obtain the cookie. however it’s not hard to not fall for them. a worse problem is using cookies for development/group automation and screensharing. someone could screenshot or record it. (happened to an unlucky friend)

DO NOT DELETE YOUR COOKIES! it might do more harm actually, if you delete a roblosecurity from your browser that doesn’t invalidate the cookie, therefore if someone already has it it’s already game over. use the sign out button instead, same result less problems

useless to protect your roblox account, as roblox forces ssl so the only thing a hacker would see is roblox.com, but is okay against ip grabbers; citing a thread from a forum with a green aussie bird as the mascot:

If your IP is residential, there is a possibility that they can call your ISP and try to find out who you are. ISPs are not supposed to give out dox, but telephone operators are less-than-savvy, poorly-paid human beings who can potentially oblige a charismatic caller.

still no point in keeping it on 24/7. also, add riseup to the list

if you nuke appdata you risk breaking windows, it’s easier to get a good scanner like hitman pro or mbam and it is more efficient. temp should be regularly cleaned anyways, ccleaner can do that if you have it. there is also a 3rd folder, %localappdata%.

the desktops are visual and not separate environments.

to add another quote from the kiwi forum:

Don’t make enemies if you don’t want enemies.

15 Likes

I think you fell for the VPN ads. A VPN will do nothing to protect you under this context. Roblox already forces HTTPS & your traffic is not viewable to an attacker.

12 Likes

VPN
Use a trustworthy VPN, such as ProtonVPN, NordVPN, ExpressVPN and Surfshark. These VPNs will protect you if someone can hack your ISP and look at your history. Who knows? Maybe your parents are uneducated at password choice, and use 123456 as their ISP password. You never know.
In fact, these are also good because they will also protect against IP grabbers. The IP grabber will still work, but it’s useless if all they get is a VPN IP.

I’ve used VPN’s before and they sometimes prevent you from joining roblox games/experiences. I mean it’s not a hard fix but it’s something to keep in mind

6 Likes

Wow, I actually pasted a java script in my browser and I didn’t even know it can bypass 2FA and steal my account! Thanks, now I will click Sign out of all sessions.

3 Likes

Yeah, they’re a small method to protect against you forgetting to close Roblox. It’s blue because hardly anyone will actually need it. I’ll also add another blue one called cold boot attack, because there’s not yet been a case where a hacker has frozen the victim’s RAM, but who knows?

3 Likes

Ok good, will be sure to fix that.

2 Likes

I was aware of this, and I worded the post more clearly.

2 Likes

I think @Thuliiii meant VPNs more in general. Not only within the HTTPS secured Roblox website, but outside, such as discord, other websites etc.

2 Likes

Again, a VPN will not protect your account. Any website worth your time in 2021 already implements strong HTTPS standards and using a VPN in an effort to hide your traffic to these sites is a waste of time, energy, and money.

A VPN might have made sense under this context 5 or 10 years ago, but it doesn’t now.

4 Likes

Yeah, probably. But it still adds a layer of protection, especially if you fell into the wrong website/hands. Mostly to avoid doxing though. Again, I’m not an expert - just my two cents.

1 Like

Correct. Still protects against IP grabbers though (followed with ISP call and who knows what, an address leak could pave way to cold boot), after all, I want to secure every possible method I could think of.


only feds do cold boots and even then its like super hard to pull off

regardless, i will add something that happened though: the hackers (or social engineers, really) contacted one of roblox’ payment processors, xsolla, and obtained information about someone who bought robux or premium. then they forged an apple pay receipt and sent it to support as proof, requesting a password reset, gaining access to the account and stealing limiteds.

the solution is always use giftcards bought from a different account. but the method takes so much time and is so hard to pull off i doubt they’ll target small devs and i hope xsolla did some employee training or something.

also, this might be a bit stupid, but roblox could add an on screen keyboard because keyloggers (i stole this idea from riseup too)


you hover over a key and its pressed in 2s

to add: sim swapping is the carrier’s fault, not roblox’, but still you shouldn’t add a phone number, especially if you’re in the us, because the us has public phonebooks with addresses

3 Likes

It’s also a good measure to regularly check if your email, phone, or password has been pwned. I do advise you to change your personal information if it has been marked as pwned using this website:

Email / Phone
Passwords

3 Likes

This is not true. 2 factor authentication is a MUST even if bruteforcing couldn’t physically exists only using a password leaves you still vulnerable to many things like keyloggers and people (like your siblings or friends) looking over should shoulder while you type.
Also is is very incorrect to assume that “nobody really bruteforces accounts anymore”. Crackers are ALWAYS trying to bruteforce accounts.
Also most passwords aren’t very secure. Even if you randomly try to smash your keyboard the results are very predictable. And you only need to compromise it once and you’ve compromised it forever. Only having 1 factor of authentication is not quite secure hence 2FA exists.

I 100% agree. Some people think that “phone number more secure” but adding a phone number to a Roblox account is really bad. A hacker could get your phone number from a database leak and known your IRL HOME ADRESS!!! Never use phone numbers on Roblox accounts!

Also some general tips people should now:

  • If some random person messages you to on discord or somewhere else to do something or pressure you to do something weird it is probably a scam.

  • Someone telling you to go to inspect element is a scam! Someone telling you to paste stuff to your URL bar is a scam! Someone telling you to paste JavaScript is a scam! Someone telling you to give them a .HAR file is a scam! Someone telling you to run their program which they DM:ed you is a scam! Someone telling you to click some suspicious looking link could be a scam. Someone telling you to upload some random files from your computer is a scam! Someone telling you to give them some weird information from your computer could be a scam. Someone telling you to do something in your appdata could likely be a scam.

  • If someone sends you a link on Discord do not click the preview thing as it can be spoofed. Click the blue which has the link as that one can’t be spoofed.

  • Use an account pin! This is really important! If they get access to your account via any method including cookies the account pin might save you! Remember to write it down!

Also you should not use your personal email for your Roblox account. Create a totally new email for your Roblox account. I would suggest using Protonmail instead of GMAIL. As well as using 2FA on your email and having a strong password. Remember to write down your password and 2FA recovery tokens in a special notebook which you use to store passwords!

2 Likes

Actually, I’ve found a case where that link was spoofed. The ONLY real best way is to Copy Link Address and then paste in the address bar and look for hidden link endings that could redirect to another website.

1 Like

i made a simple thing that clears my temp every 30 minutes (probly overkill) but i went and made a registry key thingy and it just uses command prompt which makes me feel safer

1 Like

I am just asking, but what is the danger in that? Technically, anyone who drives by you can get your address by your license plate.

1 Like

Thanks for writing this. However I suggest removing the text colors, it hurts my eyes and looks hard to read! Other than that, thanks again! :slight_smile:

1 Like