While contacting Roblox Support, I was asked to refile my case using the email address tied to my account, which confused me, as I had already been doing so. When the support agent provided a hint as to which email was connected to my account on their end, I realised that they were looking at the original email address that I used at the time of account creation, which was in 2014 (mentioning as I’m not sure if the fact that my account was created ten years ago had any role to play in this).
This is a serious security issue – too often are inboxes compromised, and when that happens, people update their accounts so as to minimise and mitigate further risks to their accounts. If Roblox Support relies on the original email address in order to verify a person’s identity, then such a hacker could then compromise an unsuspecting person’s account, even long after they’ve updated their email address in their account settings. In any case, it’s not reasonable to expect that a person should continue to have access to that inbox, if their email had been hacked or otherwise lost, in which case, they have no hope of proving their identity.
Although incredibly an frustrating one, it’s even more so a puzzling bug, since the Roblox website clearly shows my current email address in my account settings, and submitting a forgotten username request under that same email results in my account appearing, as expected (by this logic, I’ve assumed that this must be a bug of some sort, hence why I’m filing this report here).
Not sure if this is just an isolated issue (perhaps just related to my account or the support agent I had this once), but with millions of accounts out there, even if we were to presume that this was a once-off, that it is even happening to begin with is nevertheless a cause for concern.
Expected behavior
Roblox Support should be using the most current account records when verifying that an account belongs to someone.
They’ve asked me several times (from different support tickets) to contact them from email addresses that i no longer use, even a email address that doesn’t exist (a malicious user could make a custom domain and thereforce compromise my account), this is indeed a massive security issue and roblox needs to fix it.
I, too, suffered this issue when attempting to submit a GDPR request. I no longer have access to the original email used to create my account, meaning I quite literally cannot complete a request. It’s not an isolated issue.
I thankfully haven’t experienced this myself (which considering everything is very surprising) however my accounts first linked email (not in use for easily like 10ish years now) is completely gone to the point of the mail service itself being shut down
If I did have to suffer a fate like this, it’s not a case of “oh just go back and re-claim my old username”, the whole thing just outright does not exist (at least at the domain that was used at the time)
This should be raising many more questions however: Just how bad are the services support apparently uses? The emails might be out of date, but how about things like phone numbers? Past usernames? Or things that are indirectly linked to our account (content uploaded by us, tickets filed under our username, emails linked to our username, any of the above done with a previous username)?
Or, alternatively, WHY is it giving them outdated info? Is it broken? Does it not update? Is our data not being stored properly?
I attempted to submit a GDPR request on 12/7/2024 however they are requesting me to contact them from a email address that actually doesn’t exist (a old email address i put a wrong email domain for, the email wasn’t even verified).
I contacted them from the same current email address of my roblox account (it has not been changed in over a year) and this is what Roblox Support said:
We are not able to confirm ownership of the account with the information that you’ve provided.
I even stated this in the GDPR request:
To prove ownership of the account, the email address for the account is the same email address this email is being sent to you.