Got it, removed that. Thank you! It might not be fixed though.
remove the webhook since it would be useless if the hacker already knows the hook so you could delete the webhook from your discord
There aren’t 10000000% ive check all of them
How do I fix that then? This has ruined my game, they have even cleared player data…
I’m afraid that’s not how discord webhook proxy services work.
1 Like
Easy, verify the objects, an example
local GameFolder = workspace.game
RemoteEvent.OnServerEvent:Connect(function(plr, object: Instance)
if typeof(object) == "Instance" and object:IsA("BasePart") and object:IsDescendantOf(GameFolder) then
object:Destroy()
end
end)
Same with any type of thing:
- Check its type with
typeof. - If it is an instance, verify that it has the correct
ClassName. - If it is a number, boolean or anything else, verify that it is in the correct range (if it is transparency it must be between 0 and 1, etc.)
As repeated everywhere… NEVER TRUST THE CLIENT
(obviously I’m not referring to the players, I’m referring to the data they can send)
Yeah those are leaked OpenCloud API keys, the webhook service here in question is webhook.lewisakura.moe, which is a known free proxy to send webhook messages from Roblox servers to Discord for logging purposes. 
One of your devs probably gave the OpenCloud key too many permissions and it got leaked, or one of their accounts were compromised.
1 Like
But I’m confused just because I’m using a forloop it means the whole game can be practically “backdoored”. Roblox needs to up their own security. May I ask for your discord so I can talk with you with my Manager?
that’s what I did for my webhook, to log bans and stuff and that’s how they hacked my game
It is a technically injected script, not a backdoor btw.
Of course, same user on Discord.
Added, I appreciate the support, this is a rough time for all
your game wont get hacked by sending a post request to a proxy, not how it works
3 Likes
Check for any malicious plugins (not sure if this has been mentioned already)
Roblox has security (even if its questionable at best) - as a developer I’d still recommend taking the extra time to implement safeguards regardless. Can’t rely on roblox for much these days.
1 Like
Anywho, when you finally fix the game you should rollback player data since you’ve already mentioned data loss.
DataStore:GetVersionAtTimeAsync is really handy.
1 Like
What safeguards exactly aha. I’m not very sure
Take this as an example - protecting your RemoteEvents. Making sure that no malicious payloads could be sent by an exploiter (its possible, stuff happens). Never put trust in your client.
Can you confirm that your the banning is gone now? The posts are pretty hectic so it’s hard to track what’s happening.
Your webhook should be fine unless you gave it permissions to modify your game, such as deleting a player object/kicking/banning. If all you’re doing with HTTPService is to send information to your discord server, hackers cannot use that.
If you made a remote admin command that lets you kick players ingame through discord commands, that would be a problem, especially if part of your pipeline is compromised (ie leaked API key).
Like I mentioned before, you should use a diagnostic tool like the one I sent above and share with us the log so we could get a better idea of your potential vulnerabilities/issues. We cannot give you a DEFINITIVE answer unless we get more information or look at the scripts. The tool should help give some information without revealing your whole code.
2 Likes
Yeah sadly it wasnt the HTTPS, I just didnt have any checks on any of my events, so im not gonna sleep tonight!