Reports of a “Security Alert” Phishing Scam

Creators,

We have been notified of a phishing scam impersonating Roblox Security Alert. This fraudulent email directs users to a fake “Reset Password” page asking for the following information:

  • Old Password
  • New Password
  • Confirm New Password

This page mimics the Roblox recovery flow and may even display your Roblox account’s username and avatar to make the phishing attack appear more convincing.

If you did not receive the email or did not fill out the form with your information, such as your username and password, there is no risk to your account, and no further action is required from your side.

If you did submit your information through the phishing link, please follow the steps below:

  1. Change your Roblox account password

  2. If you are unable to change your password, please contact Roblox Support for assistance.

For more information on how to keep your account safe, please visit our Help Center.

Thank you.

241 Likes

This topic was automatically opened after 15 minutes.

Same method as last time, bad actors utilizing past RDC data breaches to target high-profile accounts.

63 Likes

Always remember to personally go to the Roblox website yourself and change the password from there. Don’t trust an email link to do it for you.

Alternatively, you can always mark the contact no-reply@roblox.com as trusted/VIP so you know if the sender is genuine or not.

50 Likes

For any user experiencing this, i recommend trying to set up a filter that automatically deletes emails/puts emails in a special folder “Unknown” if you are unaware of the domain.

For example, @roblox.com would be trusted but if its from another domain that is not within the trusted list, it deletes it or puts it in an “Unknown” folder.

35 Likes

This is why you must always check the url before clicking it if it says anything other than roblox.com its probably a phishing link

30 Likes

The phishing emails have taken up using subdomains which seem like they should be owned by Roblox, such as @noreply-roblox.com

19 Likes

Also that email has a verified checkmark on gmail. If it doesn’t then i guess it could be a scam

21 Likes

Yeah, but phishing verified checkmarks are possible. So it’s better to mark the email instead of relying on checkmarks.

10 Likes

Such breaches IIRC are on HIBP, feel free to check if your email is on there

I have no idea how else they’d get the email addreses of top roblox developers.

10 Likes

glad i saw this post before checking my email today, i got one from an @accounts-roblox.com :woozy_face:
thank you for posting these advisories cause they really do help a lot

update 2025-04-20T07:00:00Z: just got one from a @mailbox.org?? and it didnt get flagged as spam but i can tell it’s fake so this is weird

4 Likes

classic scam attempt, fake emails, im surspriseied it still works on people

2 Likes

If they make it look convincing enough then most people who aren’t as technically inclined or scam-aware won’t even doubt it is real unless they notice the email address or some other oddity with the email.

3 Likes

:shield: Hey Creators,

Thanks to Roblox for the heads-up! Phishing scams are getting smarter every day — this one is especially dangerous because it mimics the official password reset flow and shows your real username and avatar :flushed:

If you got a sketchy email pretending to be a Roblox Security Alert, don’t click anything and double-check the sender. Only trust emails from no-reply@roblox.com.

:closed_lock_with_key: Reminder to everyone:

  • Never enter your password outside of the official Roblox site.
  • Enable 2-step verification.
  • Use strong, unique passwords.

We’re all part of this creative community — let’s protect each other by staying informed and reporting suspicious stuff :mag:

Stay safe out there, and keep building awesome things! :rocket:

6 Likes

I received this email but I was surprised it was sent to an email address (an email address exclusive for one account) which isn’t contained in the RDC invite breaches. Even checked it with haveibeenpwned. Kinda unsettling with the prospect that there may have been a potential breach recently.

Here’s a snapshot of what it looks like to be on alert for:

From the whois domain info, it was registered recently. Allegedly they thought about 2fa and the fake site may attempt to detect if an account has it enabled in order to deceive victims for input of a recovery/authenticator code to “reset” their password.

8 Likes

I also got false “Security Alert”, but my mail provider flagged it as spam, it was from noreply@accounts-roblox.com. The domain is already down.

1 Like

This was looked into, most of the users aren’t even on the RDC breach list

1 Like

There was never a public website, it only got used for the emails

The domain is still active
image

2 Likes

I don’t think it makes sense for them to be targeting random Robloxians.

I also saw this on a seperate related article.

It would make the most sense for them to be targeting developers.

2 Likes

I’ve created an email just for Roblox, and have never used it in any other website, and I got one of the scam emails.
There must have been a databreach on Roblox’s end that hasn’t been disclosed.

5 Likes