If this happens, contact Roblox Support and they will help you regain access to your account and rollback any damages.
The .ROBLOSECURITY cookie is a browser cookie used by the Roblox website to store user sessions in a web browser. Its content is a hash that is used by the website to determine what user account the user is logged in. This means that if a user can be tricked through social engineering or cookie loggers into revealing the content of this cookie, users who are aware of it can log into the account of the user by creating a cookie named “.ROBLOSECURITY” with the content revealed by the user. In other words, giving this cookie to someone will give them access to your account.
The hash used by the .ROBLOSECURITY cookie is permanent, but can be changed by logging off and logging back into the account. Users who gave away their .ROBLOSECURITY must immediately click the "Sign out of all other sessions" button, located in their Roblox settings page. Doing this will reset their .ROBLOSECURITY cookie and make the old one unusable.
Cookie loggers[]
Cookie loggers are malicious software, such as JavaScript code included in a browser extension, bookmarks (or "Bookmarklets"), code pasted into Devtools console, or HAR files extracted from the browser, that attempts to view a user's .ROBLOSECURITY cookie and copy it, giving an attacker access to their account and hijack it. These programs will silently send .ROBLOSECURITY cookies to a remote server without the user noticing and in some rare cases, without being detected by any antivirus programs.
If you have followed the steps and still do not have access to your account, try resetting your password at https://www.roblox.com/login/forgot-password-or-username or https://roblox.com/login/securityNotification
If you are unable to reset your password, contact Roblox Support from an email address that has been associated with the account. They can also recover some stolen assets, like limiteds or Robux, if this is the first time the account has been compromised. However, this rollback can only be done once per account so use it cautiously.
Cookie logger removal guide[]
There are many different types of cookie loggers, but below is a guide to removing the most common.
For Windows[]
- Step 1
- Press ⊞ Windows + R
- Step 2
- Type
%LOCALAPPDATA%
into the text box in the "Run" window and press the enter key.
- Step 3
- Right-click on the "Roblox" Folder and delete it.
- Alternatively, you can also click the folder and press ⇧ Shift + ⌦ Delete to permanently delete the file, skipping Step 4.
- Step 4
- Click on the Recycle Bin icon on your desktop then click on the "Empty Recycle Bin" button.
- Step 5
- Open your preferred browser and check your extensions:
- on Firefox, go to about -> addons or type about:addons in your search bar.
- on Chromium or Chrome, go to about -> extensions or type chrome://extensions in your search bar (note: if you're not using chrome it will automatically replace "chrome" with the name of your browser (ex: chrome://extensions -> edge://extensions).)
Make sure every extension here was installed by you and is trusted. Pay special attention to extensions that appear to be related to Roblox. A small userbase and negative reviews can help indicate a logger. If you find a suspicious extension, uninstall it.
- Step 6
- Search for the 'Control Panel' by going to File Explorer, in the address bar, search "control panel" then clicking "Control Panel".
- Step 7
- Under "Programs", click "Uninstall a program".
Make sure all programs here were installed by you and are trusted. Pay special attention to programs that appear to be related to Roblox. If you find a suspicious program, uninstall it. However, do not uninstall programs created by Microsoft. Some of the programs from Microsoft are necessary for your computer to function correctly; if deleted, it may cause problems to your computer in the future.
- Step 8
- Scan your PC using an installed antivirus that you trust. Windows Defender will usually be fine, but for extra security use the free version of Bitdefender, Avast or Malwarebytes. (Microsoft also has a great list of 3rd party antivirus software that they trust and recommend, but most are paid software.)
- Step 9
- Go to roblox.com in your browser. Log in, reinstall Roblox, reset your password and email in your settings, log out and then back in and press the "Sign out of all sessions" button in your settings.
Trivia[]
- When inspecting the Roblox website's cookies, a warning message can be seen at the beginning of the .ROBLOSECURITY's value, showing this before showing the cookie's actual value:
"WARNING: DO NOT SHARE THIS. Sharing this will allow someone to log in as you and steal your ROBUX and items."