Roblox Support does not use the latest account records

While contacting Roblox Support, I was asked to refile my case using the email address tied to my account, which confused me, as I had already been doing so. When the support agent provided a hint as to which email was connected to my account on their end, I realised that they were looking at the original email address that I used at the time of account creation, which was in 2014 (mentioning as I’m not sure if the fact that my account was created ten years ago had any role to play in this).

This is a serious security issue – too often are inboxes compromised, and when that happens, people update their accounts so as to minimise and mitigate further risks to their accounts. If Roblox Support relies on the original email address in order to verify a person’s identity, then such a hacker could then compromise an unsuspecting person’s account, even long after they’ve updated their email address in their account settings. In any case, it’s not reasonable to expect that a person should continue to have access to that inbox, if their email had been hacked or otherwise lost, in which case, they have no hope of proving their identity.

Although incredibly an frustrating one, it’s even more so a puzzling bug, since the Roblox website clearly shows my current email address in my account settings, and submitting a forgotten username request under that same email results in my account appearing, as expected (by this logic, I’ve assumed that this must be a bug of some sort, hence why I’m filing this report here).

Not sure if this is just an isolated issue (perhaps just related to my account or the support agent I had this once), but with millions of accounts out there, even if we were to presume that this was a once-off, that it is even happening to begin with is nevertheless a cause for concern.

Expected behavior

Roblox Support should be using the most current account records when verifying that an account belongs to someone.

A private message is associated with this bug report

i also have this issue.

They’ve asked me several times (from different support tickets) to contact them from email addresses that i no longer use, even a email address that doesn’t exist (a malicious user could make a custom domain and thereforce compromise my account), this is indeed a massive security issue and roblox needs to fix it.

I, too, suffered this issue when attempting to submit a GDPR request. I no longer have access to the original email used to create my account, meaning I quite literally cannot complete a request. It’s not an isolated issue.

I thankfully haven’t experienced this myself (which considering everything is very surprising) however my accounts first linked email (not in use for easily like 10ish years now) is completely gone to the point of the mail service itself being shut down
If I did have to suffer a fate like this, it’s not a case of “oh just go back and re-claim my old username”, the whole thing just outright does not exist (at least at the domain that was used at the time)

This should be raising many more questions however: Just how bad are the services support apparently uses? The emails might be out of date, but how about things like phone numbers? Past usernames? Or things that are indirectly linked to our account (content uploaded by us, tickets filed under our username, emails linked to our username, any of the above done with a previous username)?
Or, alternatively, WHY is it giving them outdated info? Is it broken? Does it not update? Is our data not being stored properly?

I have the same issue.

I attempted to submit a GDPR request on 12/7/2024 however they are requesting me to contact them from a email address that actually doesn’t exist (a old email address i put a wrong email domain for, the email wasn’t even verified).

I contacted them from the same current email address of my roblox account (it has not been changed in over a year) and this is what Roblox Support said:

We are not able to confirm ownership of the account with the information that you’ve provided.

I even stated this in the GDPR request:

To prove ownership of the account, the email address for the account is the same email address this email is being sent to you.

This issue has to be fixed and not ignored.

This is still occurring, even after 5 months (this message was sent to me a day ago by Roblox Support).

broooo, roblox fix this, it's beeeeen so long.745×533 61.1 KB

They are requesting me to contact them from an email that doesn’t even exist, “outook” is a spelling mistake of “outlook”.

The last time i’ve used my actual outlook account was over 5 years ago or so, i have not recently changed my roblox’s account’s email by the way (same roblox account email for over 2 years).

If somebody wanted to compromise an account, they can just get into one of the victim’s old emails that they no longer use and then because of this, can cause very annoying issues to the account owner. Hope Roblox can understand this is an issue and fix it.

The customer support agents will usually ask you to email them on the first email verified on the account for security-related requests. Unfortunately, this is intentional.

The email account i mentioned was never verified.

The new ticket submitted was a GDPR Request.

Sometimes, they permit me to proceed further with such requests but often they ask me to email them from non-existent email accounts which tends to waste time.

If they use outdated information, that can definitely compromise user security as mentioned by the OP.

If the email was never verified, you should make a different bug report. This one was closed long ago as it is intentional behaviour and won’t be seen by staff.