Hi all, thanks for your patience! We’re still investigating and will post an incident report in the next week or two with more details about what happened and what we’re doing to prevent it for the future as soon as we can. We treat the confidentiality of your content as critical so a bug like this is a major concern for us.
If your place source code is ever leaked, make sure to change any API keys you are using. If the place is republished to the platform you can submit a DMCA request to have the place taken down.
I’ve had experiences leaked (stolen) in the past and support was willing to remove republished copies once, further requests were denied with the response of
“Unfortunately, as a stolen game can be stored on hard drives as a backup, we may be unable to assist with further thefts of the same game. We appreciate your understanding.”
Although when I argued this with support they removed a few more reuploads - eventually - they stopped responding altogether, leaving stolen copies published on the platform. These reuploads are still live (I began being ignored by support in May of 2020) and have amassed millions of visits which hurts me as a developer directly.
Has this policy changed on this, or should developers expect the same response going forward?
If you published a new universe between 3/24/22 9:45 AM and 3/26/22 8PM PST, there is a possibility that the source code of the start place of that universe was accessed. We’re still looking into this and will notify affected developers directly if we can.
I am not sure what our latest policies are on this but ideally we want to handle all valid takedown requests. Would recommend you continue using our DMCA process for this but please understand if we can’t address all the reports / handle them in a timely manner!
I am afraid as recently as last month I, and people.i work with, continue to get the “only take stuff down once” excuse and similar.
In fact last time they claimed there was no way for places to be stolen and we should all check our accounts are secure.
I’m not sure gas lighting developers about account security instead of admitting it’s possible (and unavoidable) for anything on the client to be stolen.
Also it seems the option to allow copying has been entirely disabled as of yesterday?
Just for further clarification, does that mean that if you already had a game/universe released and you happened to update its root place in between those two days, your game could not possibly have been affected by this?
Not only a new universe, but any game that was published using publish as was affected, for example, people who publish their developing place to the main game would be affected.
If you used the publish as button, then your place was certainly affected, however I’m not quite sure if the main publish button caused this issue also
That’s why I’m asking for clarification, because the original statement makes it seem like next to no people would be affected, since whole games are rarely uploaded to new universes.
well, quite alot of developers have separate places for experimental features or for new update development entirely, so it is more common than you’d think
On March 24, an apis.roblox.com site update caused new places published from Roblox Studio to new experiences (through File > Publish to Roblox, or selecting “Create New Game” through File > Publish to Roblox As) to enable “Allow Copying” setting by default. This meant that new experiences published this way could be opened in Studio by any user while copying was enabled for that place.
The issue was fully patched on March 26, and we have disabled “Allow Copying” setting for all experiences created between March 24 - 26. Developers who may have been affected have been contacted directly via the email associated with their Roblox account.
If you are among the affected group we recommend that you rotate and update any API keys that are stored in your code. If you believe there is a copy of your experience that has been published and can provide the link to the published copy-experience, you can create a support ticket at Support - Roblox and select the DMCA option.
Here are some more technical details for those interested:
The bug that led to this incident was a combination of several complex factors. The main factor was a template place setting overwrite failure. This configuration is sent to apis.roblox.com from Roblox Studio when creating a new place. Template places, such as the baseplate, must be copyable as they are templates - the “allow copying” setting was incorrectly propagated through our system and applied to the new place that was created for the universe.
The bug was not present in any other place creation flow, such as adding a place to an existing universe or starting places created on account creation.
We are improving our test coverage on our place creation flows and taking steps to consolidate place creation in our backend to reduce potential points of failure.
Roblox takes incidents like this very seriously and is always working to improve our systems to avoid such issues wherever possible. We appreciate your patience as we continue to work tirelessly on protecting your development experience.