I see that but how?
We don’t have any back doors
Yes we do… I think I know what it is. We have this website for discord webhooks https://webhook.lewisakura.moe/ … Could that be it?
I made a webhook before for my game and exploiters accessed it and was able to hack my game
It is not a backdoor, they could use one of your remote events but with changed parameters.
Basically, with an injector they insert a script that uses a remote event and pass it parameters that they shouldn’t.
If you’re only sending a POST request then that cannot be it, as it would have to be a GET request and using loadstring or a lua parser with that.
Check your RemoteEVents/Remote Functions or similar, if there are no require backdoors then that is the cause.
1 Like
Got it, removed that. Thank you! It might not be fixed though.
remove the webhook since it would be useless if the hacker already knows the hook so you could delete the webhook from your discord
There aren’t 10000000% ive check all of them
How do I fix that then? This has ruined my game, they have even cleared player data…
I’m afraid that’s not how discord webhook proxy services work.
1 Like
Easy, verify the objects, an example
local GameFolder = workspace.game
RemoteEvent.OnServerEvent:Connect(function(plr, object: Instance)
if typeof(object) == "Instance" and object:IsA("BasePart") and object:IsDescendantOf(GameFolder) then
object:Destroy()
end
end)
Same with any type of thing:
- Check its type with
typeof. - If it is an instance, verify that it has the correct
ClassName. - If it is a number, boolean or anything else, verify that it is in the correct range (if it is transparency it must be between 0 and 1, etc.)
As repeated everywhere… NEVER TRUST THE CLIENT
(obviously I’m not referring to the players, I’m referring to the data they can send)
Yeah those are leaked OpenCloud API keys, the webhook service here in question is webhook.lewisakura.moe, which is a known free proxy to send webhook messages from Roblox servers to Discord for logging purposes. 
One of your devs probably gave the OpenCloud key too many permissions and it got leaked, or one of their accounts were compromised.
1 Like
But I’m confused just because I’m using a forloop it means the whole game can be practically “backdoored”. Roblox needs to up their own security. May I ask for your discord so I can talk with you with my Manager?
that’s what I did for my webhook, to log bans and stuff and that’s how they hacked my game
It is a technically injected script, not a backdoor btw.
Of course, same user on Discord.
Added, I appreciate the support, this is a rough time for all
your game wont get hacked by sending a post request to a proxy, not how it works
3 Likes
Check for any malicious plugins (not sure if this has been mentioned already)
Roblox has security (even if its questionable at best) - as a developer I’d still recommend taking the extra time to implement safeguards regardless. Can’t rely on roblox for much these days.
1 Like