They do not know emails. I changed mine and I’m still receiving them. There must be an endpoint that doesn’t require it.
1 Like
~~This could be bad, if they are able to get everyone’s emails, this means that Roblox is effectively a giant document of free emails to use for spamming and phishing emails. This is collection #1 all over again. I wouldn’t be surprised if Roblox showed up on this site soon: Have I Been Pwned: Page not found
Confirmed it was Username based
@Reshiram110 That gives you the IP of Roblox’s mail server, not the IP address of the person requesting the password reset.
That’s what I’m thinking. But why are they spamming it in the first place? They have nothing to gain by doing this.
1 Like
I know, but it’s the same mail server sending me the emails, so we’ve narrowed down the server that is causing the issue (at least for me, anyways).
If the engineers can get access to the server they can probably do a backwards network trace from there to see what endpoints are accessing it, and who is accessing said endpoints.
Perhaps it is just boredom.
Either way, whoever is doing it I hope they get caught.
1 Like
They’ve actually got quite a bit to gain. By spamming a mail server like this, you can get it to send out very sensitive data in the form of errors, this gives exploiters insight into how the system works, potentially leading to an exploit that will expose very important information, such as the keys used in password reset tickets.
1 Like
Seems patched now. Roblox must have deactivated the old endpoint. Emails weren’t leaked, they used an old endpoint that required a username.
18 Likes
Shucks just found it on the way back machine. Guess I can’t test it but glad it’s fixed finally.
1 Like
I just got another one 0 minutes ago 
This attack was different than yesterday’s attack. We have shut down this endpoint for now.
7 Likes
Hopefully you guys will find out who is behind this and take appropriate action. 
Could be a delayed email or an unrelated attempt by someone.
1 Like
I got hit with like 10 of these earlier.
I wonder whose behind this.
The attack method was different? So someone is actively looking for ways to spam emails to us? Nice.
Just received these emails, 5+ emails since last hour ago, hopefully this is fixed soon.
I got 5 emails, hopefully this is finally resolved
I’m still getting emails, they’re gradually decreasing the interval at which they’re sent.
Is this an after effect, or is there a different endpoint being abused now?
3 Likes
(referring to second bout of username based emails)
I’m pretty sure the person was using a legacy password reset endpoint under api.roblox.com, which accepted a username. It was actually listed under the /docs page until a few months ago.
I previously made someone aware of the legacy endpoint, however it was never removed. There’s no impact besides a slight annoyance, the endpoint was rate limited as far as I had tested it.
The first attack also had a relatively low impact on end users besides the sheer amount of spam, however could have been used to smuggle phishing emails in between the legitimate reset emails since the user had the targets email address. This isn’t possible in the method I mentioned in this reply, because the user does not have access to the targets email.
2 Likes
I am still receiving these but at the moment it’s at 4 and the latest was about 2 hours ago.
Just received another a second after this post.