2016 Roblox security breach

The 2016 Roblox security breach was an incident which led to the user data of 100,000 players being exposed to an unauthorized group of individuals. The breach was mentioned by Roblox administrators in a security update blog post.

Incident
In July 2016, a group of unauthorized individuals accessed the Customer Service admin panel of a Roblox test site, which contained a full copy of a Roblox production database from 2012. This was done using a compromised staff account.

Any Roblox user data until 2012 could have been accessed by the attackers, including the following:


 * Transaction logs (excludes full credit card numbers)
 * Private messages
 * Robux balances
 * Previous email addresses
 * Login logs with IP addresses

The attackers scraped the admin panel for user data until kicked out by Roblox staff. While it is unknown how many users truly had their data compromised, the leaked databases resulting from this breach put the count at over 100,000.

Aftermath
The leaked databases were used to compromise many old accounts, both by the individuals behind the breach, and other users who obtained the files from forums. The files contained the data of a few thousand Roblox accounts which join dates ranged from August to September 2006.

A few weeks after the breach occurred, Roblox created a blog post titled Security Update, which includes a vague mention of the breach. As an added security measure, a Security Notification screen was added to certain accounts, forcing some account owners to reset their passwords via email.