My email is currently being bombed by password reset requests. I have received roughly 1000 emails in the past 20-30 minutes.
It seems like the bot doing this is bypassing floodchecks by randomly varying the letter-case of the characters in my email address.
I don’t know how much of a load Roblox’s email servers can handle or if I’m the only person being targeted by this, but I wanted to report it in case they manage to trigger something bad or crash something.
4,200 and counting over here. Definitely critical. I’m worried something serious is hiding in the middle of all this.
It shouldn’t be possible to brute force someone’s reset ticket. Roblox went the extra mile to make sure its computationally infeasible to guess someone’s ticket before the heat death of the universe.
My main concern is more that Roblox’s email server is getting DDoS’d here.
I’m at 829 currently, it started at 9:07 PM EST for me.
Our engineering team is actively investigating & addressing the reported issue. Thank you for bringing it to our attention, we appreciate it!
looks like Roblox needs to add a string.lower() to get rid of that case sensitivity bypass lol
In all seriousness, this is really strange. I’m pretty sure this attack is just to aggravate developers and nothing more. I see no logical reason why someone would spam a password request so many times, unless they are expecting to crash the mail in order to make it throw out an error that reveals information about its OS, as well as what it’s running in order to gain an edge in finding an exploit for the mail server?
If they were trying to crash it though, it’d probably be a better idea to keep that on the low wouldn’t it? Attacking a developers account is probably the worst way to stay under the radar.
Regarding what CloneTrooper1019 said, let’s just hope those hashes are super salty.
Thank you all!
Engineering has resolved the issue. If you continue to experience any issues please let us know.
Yep, I stopped counting. I was at around 1600 or so when I checked last night. Changed my password to something a bit beefier… but if they did manage to get into my account & steal/spend my saved Robux, it’d basically be the same as taking a few months of my income for rent and bills… so I really hope this gets resolved. I’m a bit paranoid right now.
EDIT: Didn’t see Nightgaladeld’s comment above. Glad it’s resolved 
EDIT EDIT: Nope, not fixed… still getting the emails.
It doesn’t appear to be fixed. I just got a password reset email just now.
Same here, just got an email and I fear it’s not the first and only one.
EDIT : Oops forgot to scribble out the bottom. Not a big deal, my email is already on a public portfolio anyways.
It may be unrelated but me and several other members of the devforum discord got password reset emails all in the same few minutes. I don’t think this is fixed, or alternatively there’s an underlying issue that’s the root cause.
EDIT: Literally as I finished typing this I got another password reset email. This is definitely not fixed.
There must be an API they are calling, there is no way they have pretty much every developers email address since everybody seems to have gotten them at the same time.
My friend @Spathi got an email just as I got done telling him about the one I got, but he’s not in the devforum discord (he was up until recently), so I doubt it’s related.
This is what concerns me. If there’s an exposed API that’s leaking our emails, what else could this exposed API be leaking about us?
Same boat as everyone else, got a password reset email a couple minutes ago.
Is there any confirmation that they’re just abusing some sort of API and don’t have people’s emails?
Yep. Been getting a couple and it seems to be at the exact same time as everyone else (found out by chatting over discord when they happen)
Getting password resets as well.
Bump, same issue here, hope this gets resolved soon.
I too start getting this emails around midnight ((EST))
Obligatory “same here” message. I just received 3 within 20 minutes of each other, but I didn’t receive any before the issue was supposedly marked as fixed. Worth noting that my email is public for business stuff.
