It seems like the bot doing this is bypassing floodchecks by randomly varying the letter-case of the characters in my email address.
I don’t know how much of a load Roblox’s email servers can handle or if I’m the only person being targeted by this, but I wanted to report it in case they manage to trigger something bad or crash something.
It shouldn’t be possible to brute force someone’s reset ticket. Roblox went the extra mile to make sure its computationally infeasible to guess someone’s ticket before the heat death of the universe.
My main concern is more that Roblox’s email server is getting DDoS’d here.
looks like Roblox needs to add a string.lower() to get rid of that case sensitivity bypass lol
In all seriousness, this is really strange. I’m pretty sure this attack is just to aggravate developers and nothing more. I see no logical reason why someone would spam a password request so many times, unless they are expecting to crash the mail in order to make it throw out an error that reveals information about its OS, as well as what it’s running in order to gain an edge in finding an exploit for the mail server?
If they were trying to crash it though, it’d probably be a better idea to keep that on the low wouldn’t it? Attacking a developers account is probably the worst way to stay under the radar.
Regarding what CloneTrooper1019 said, let’s just hope those hashes are super salty.
Yep, I stopped counting. I was at around 1600 or so when I checked last night. Changed my password to something a bit beefier… but if they did manage to get into my account & steal/spend my saved Robux, it’d basically be the same as taking a few months of my income for rent and bills… so I really hope this gets resolved. I’m a bit paranoid right now.
EDIT: Didn’t see Nightgaladeld’s comment above. Glad it’s resolved
EDIT EDIT: Nope, not fixed… still getting the emails.
It may be unrelated but me and several other members of the devforum discord got password reset emails all in the same few minutes. I don’t think this is fixed, or alternatively there’s an underlying issue that’s the root cause.
EDIT: Literally as I finished typing this I got another password reset email. This is definitely not fixed.
There must be an API they are calling, there is no way they have pretty much every developers email address since everybody seems to have gotten them at the same time.
My friend @Spathi got an email just as I got done telling him about the one I got, but he’s not in the devforum discord (he was up until recently), so I doubt it’s related.
Obligatory “same here” message. I just received 3 within 20 minutes of each other, but I didn’t receive any before the issue was supposedly marked as fixed. Worth noting that my email is public for business stuff.