“As a Roblox developer, it is currentlyimpossible to feel secure on this website, when this is the 2nd time my account have been compromised.”
This is most likely a result of a bruteforce attack, because I was using a new system, I doubt any rats snuck into my computer.
I feel that Roblox could use more security, security such as a better 2step authentication. We have an option to add our phone numbers to our roblox accounts, however it serves no use because 2 step verification get sent to your email. For example if your roblox account and email gets hacked, you’re pretty much screwed. Why not use our connected phone numbers to get codes sent to our mobile devices before logging in like they do on google. Not only will this help notify users when someone is trying to breach their account, but its a lot more safety overall, because it is a lot less common a hacker could hack into your phone, and more common they could hack into an email.
Another thing we desperately need, is login limits. Bruteforces rely on guesses which they keep trying your password over and over until it gets it right (not sure if I am 100% but I’m not a hacker ) . However this could be countered if we had login attempts, for example someone fails to login 10 times, it will cause a login timeout for 10 minutes and email the user that they have reached the failed login attempts, and will have the OPTION to change their password if they want to. Therefore if someone was to attempt to hack in a users account, we could do something to counter it. Rather than open roblox one day and notice you cannot log back into your account.
If all else fails, take after steam. For example every time you login, you must use the steam app to get a temporary code which only lasts for about 30 seconds and expires. This could greatly reduce accounts being stolen.
If I am incorrect or have bad points please feel free to correct me, I just feel that people get hacked and their limiteds stolen TOO often, and something must be done on Roblox’s security if we are going to prevent this. This is the thing nobody talks about, because most act like this issue doesn’t exists. Well it does, and we need a solution as SOON as possible! I hope you take this into consideration, and we can make this site a safer place for many users and developers.
Just set your email account to have phone-based 2-step, then there’s no way for hackers to get in like that.
I think the specific points you bring up here are non-issues as long as you secure your email account properly. The real big problems are social engineering scams (such as getting someone to send a password reset link) and cookie grabbers in plugins, which let hackers bypass 2 step verification entirely. That’s how many of the high-profile hackings are being done lately.
I don’t think I agree with all of your main points, but I still think that more 2 factor authentication options would be a great thing.
The most significant things that phone-based 2FA will prevent against is:
Password re-use attacks (already discussed)
Keyloggers and other tools that read your password from your computer
Both of these are excellent and fantastic things to prevent and I will always support initiatives for more 2FA options. A popular option is using a Google Authenticator-compatible system so you can receive codes on Google Authenticator. Discord, Microsoft, and many others support this system and there are other compatible apps for it that are free and open source.
Brute force attacks against a web endpoint will not work well at all. Brute force attacks are used offline after a database of encrypted (hashed) passwords are leaked from a website. Hackers will try common passwords until they find a match, then they have the user’s email and password conveniently connected. Then they just have to try the combination on other websites. Even this is only feasible if the website programmers used a weak hashing algorithm.
Brute force attacks are also used on things like encrypted files or encrypted hard drives (if the hard drive isn’t programmed to clear all data after X tries). Brute force attacks are not used against web endpoints as it’s too slow to be feasible. Most web endpoints lock you out of trying passwords or require Captcha authentication too. Brute forcing requires trying millions or billions of passwords per second.
Did you change both your Roblox password and email password after the first time you were compromised? Do you re-use passwords anywhere? If you re-use your password then your password may be in a password dump from some other breached site. The “hackers” just use the email and password from that site to log into your email account or Roblox account if you use the same password everywhere.
I had my account compromised once when I still used the same password everywhere. They even logged into my email. They didn’t care to change my email password at all so if I had kept using the same password then they could sneak back in and steal all of my stuff over and over. Making you feel like your email is secure gives them a consistent backdoor into all of your accounts.
Do you have any Roblox extensions installed in your browser? Many of those are known for stealing your login cookie, which lets them temporarily log into your account without your password. I’m aware of 2 safe Roblox extensions:
Roblox+, which is made by a user that is now Roblox staff and part of the web team
Fabrick, which is made by a devforum user and has shown to be trustworthy
There are likely others that are safe but I would not risk it.
Even extensions or programs unrelated to Roblox could be keylogging your information or cookies to log in as you. Be careful what you install!
I uninstalled Roblox+ this time around, the first time I was hacked, i took security seriously, changing all of my passwords, each of website I signed up on had a separate password. Most things had my 2step auth enabled, including gmail, and roblox. However this time, they was able to disable my 2step auth and bypass my pin code without even getting into my email. I checked my login email which tells you what IP’s and devices have previously logged into your account and I saw only my IP and my devices. None of my other accounts were touched except for my Roblox account.
This time I ensured every account had a 2 step, each password changed, cookies cleared, browser reinstalled, all extensions removed completely. All chrome saved passwords have been deleted from its history, and I removed saving of all my passwords. So hopefully it doesn’t happen again. In regards to me clicking links, I do not go around clicking random links as far as I know, and I only click trusted links.
It sounds like you should be good unless you get a malicious program on your computer. Also make sure you aren’t staying logged in on a computer, phone, or other device that other people use. It’s possible it’s someone you know messing with you and taking your stuff if you stay logged in around them.
As far as Roblox, nobody in real life knows I play it (except for my family), and I’ve never signed into roblox outside of my home/personal computer in my bedroom.
Yeah, I feel it’s more likely a family member or somebody your family trusts was responsible. Or a malicious program. If it was a flaw with the Roblox security, you’d think we’d be getting more reports of people getting hacked, especially from people like asimo3089 or alexnewtron, etc.
That said, I definitely would be in support of a phone-based 2FA
That could be the case, however I was logged off roblox playing Farcry 5, when I got bored of it and decided to return to Roblox, I noticed I was logged out. I never shared my roblox password with anyone… Ever. So for me to be at my computer the entire time and for me to magically be logged out and unable to log back in, along with my email removed from the account so I couldn’t recover password, made me come to the conclusion that I was hijacked.
Google doesn’t even ask for codes anymore. I just get a popup on my pixel with a yes and a no. Same with Microsoft’s authenticator. If a company has a mobile app, they should integrate it with 2FA.
I use the Google pop up yes/no because I’m already using Google. Google still supports codes and you can use a code instead or turn off the pop up if you’d like.
I use Google authenticator codes for my work Google account since I don’t want to have the work account on my personal phone and I don’t want to give my work access to tools such as wiping my device or seeing my location. Using authenticator codes gives me the positives of 2FA without the negatives of installing the app or having to sign into it with an account that I don’t want on my device.
I do not use the Microsoft pop up yes/no because I don’t have their app and I don’t want their app just for that feature. I’m very happy with using an authenticator code with Microsoft as it means I can have safe 2FA without having to install their app.
It would be nice for Roblox to support both authenticator codes and pop ups through the Roblox app. In the past I would have been disappointed if they chose not to support authenticator codes as my phone lacked the space to keep Roblox on it 24/7, especially since I rarely ever played it on my phone. I don’t want a 100+ MB app just to log in when the <10 MB Authenticator app does that just fine.
Well, this account I’m currently on was jacked from me in 2012. I worked on my game, went to sleep and when I woke up in the morning the whole account was gone. I couldn’t log in, didn’t receive ANY emails about my password or email being reset or anything and the whole account was terminated too. I sent Roblox countless emails over the years and all I got was “Please email us with the email account that is attached to the Roblox account” which always left me frustrated because I told them a million times that I can’t do that as the account was stolen. I decided to try again one last time in 2015 after having found some old emails I’ve sent to Roblox regarding problems with that account, I took screenshots and they finally believed me and gave me my account back.
I don’t know if this is still the case, but it seems Roblox was lacking in tools which can check who is the real owner of the account.
(Also, it seems like Roblox can restore accounts which are terminated for years, so please restore my 2008 acc which I terminated when I was stupid at the age of 8 )
Yeah accounts are stolen more than often, just nobody who gets their account stolen are still on roblox to tell the tale. I feel like regular users experience this a lot more than devs, since last time me being hacked I did not receive my account back until 14 days later, compared to me being on the dev forum and me receiving my account less than an hour after contacting roblox (which was ALSO on a holiday). I am just saying the more security the better and whatever we can do to make it harder for hackers to ruin a kids day should be done to ensure the safety of the users on roblox.
For most people, they think you get your Roblox account hacked and its over. But no… I’ve seen people get their roblox, email, and any account connected to that email hacked such as facebook, youtube, discord, etc. (Because people sometimes are really good hackers but most cases include 1 person using universal passwords). But whatever Roblox can do to ensure that the players are less likely to get hijacked would be very kind of them and appreciated by both the dev and the player community.