As a roblox developer, the risks and resulting damages from getting hacked are currently far far too high for what they could be.
The problem
The current safety features, such as an authenticator and hardware security keys are awesome for keeping malicious people out. However, when a hacker inevitably sometimes does get into someone’s account (which has lately happened to me), such as through gaining remote access via a virus, they can easily change all their credentials and transfer their groups/games and robux over to themselves in a manner of MINUTES.
The damage can take weeks to months to be reverted, and in many cases stays completely unresolved. (My game for example has now been under the control of hackers for around 20 days without any positive signals from roblox support so far)
My suggestion
In short, I propose the following idea:
Whenever an account is logged in from a completely new IP or location AND attempts to hastily do anything suspicious, the account should be softlocked
What counts as “suspicious”?
Say the account, which was very recently, for example, logged in from Azerbaijan, although the user has always logged in from Britain, attempts to do anything of the following:
- Transfer a group/game owned by the user to another user/group
- Spend/transfer a large amount ( >100k R$ ) in a short time frame ( a day )
- Publish significant changes to a popular experience
Then the user would be labeled as “Suspected as hacked” and should get softlocked
Whether or not to even consider someone as possibly suspicious should be determined based on if they’ve ever been logged in from that IP / country before at least 7 days ago (excluding the times it was verified to be a hacker that logged in)
What do I mean by “Softlocked”?
When a user is labeled as “Suspected as hacked”, they should be constrained in the following ways:
- They aren’t able to transfer any games/groups
- They aren’t able spend/transfer large amounts of robux from their account or any group
- They aren’t able to publish changes to popular experiences
Let me explain these a bit more.
Group/game transfers should be fairly self-explanatory, So that they couldn’t straight up just steal your game(s).
The user should still be able to spend smaller amounts of robux ( for example <100k R$ ) in case it was a false alarm, so as to not disturb gameplay. However the limit is there so that the hackers couldn’t cause too much damage by draining all your funds.
Popular experiences (such as those that have, say, >100 CCU) should become unpublishable by your account so that the hackers couldn’t try to ruin them or couldn’t try to get them taken down (from personal experience, the hackers do choose anarchy quite often if they can’t get benefit). They should still be able to save changes in studio in case it was a false alarm so as to not disturb development too much.
The softlock should stay active for 7 days to give time to the actual account owner to prove and recover ownership through roblox support in case they were hacked. If it was a false alarm, they could still send a support ticket to get the label taken off sooner, given they have sufficient proof of account ownership.
Extra details
In order to not impede the platform’s usage (such as for VPN users), this should be a toggleable setting under “Security” in account settings, defaulted to off. That way, those that feel the need for the added security can always toggle it on (high-profile users, those who own popular games/groups, or just anyone who wants it).
It’d also be nice to be able to toggle the three specific suspicion detections ( game/group transfer, extensive robux spending, game publishing ) separately to further decrease the impact on those that might not want all three to trigger the security feature.
Also, an important note, if the option is toggled off, it should still stay active for 7 days so that a hacker couldn’t just render the feature useless by toggling it off right after gaining access to an account.
By making it a toggleable option, it can have no negative impact, since all those that could find it harmful to development can just disable it (or never enable it in the first place).
If Roblox is able to address this issue, it would improve my and everyone else’s development experience because it would very significantly reduce the potential (and very real) damage from getting hacked.
PS: My game that got hacked and stolen
In case anyone who can help happens to read this, my game Lost Aisles, which was previously under my group hehe game go brr, was transferred over to a fake group, which was conveniently renamed to Lost Aisles Community.
This happened from 16th-17th of February when my account got hacked and the game, group and all funds got transferred, yet all roblox support tickets about the game have either been ghosted, replied to about a completely wrong subject, or have outright refused to help.
Roblox has at least recovered the funds and the group though, but the most important one, the game, is still under the hackers’ group and is getting over 1000 CCU during weekends. I have also seen the hackers use my game as a way to reach more victims, since they state that they own my game and gain trust that way.