What can firms learn from historic breach that’s come back to haunt Roblox?

Reports have emerged over the weekend that developers who attended Roblox Developer Conference between 2017 and 2020 had their personal details exposed following a data breach which happened at least two years ago.

While the breach was only made public by the gaming platform on Friday, information reportedly leaked included names, phone numbers, email addresses, dates of birth, physical addresses and even T-shirt sizes.

This kind of identifying data can lay victims opens to data fraud and identity theft, personalised phishing scams and general harassment.

The breach was first raised by tech worker Troy Hunt on twitter last week following contact with several of the developers who had been affected.

Hunt runs the website haveibeenpwned.com that allows people to check whether their email address or passwords have been compromised.

New breach: 4k records from the 2017-2020 Roblox Developers Conferences appeared on a forum this month. Data included email addresses, names, usernames, DoBs, phone numbers, IP addresses and T-shirt sizes. 83% were already in @haveibeenpwned. Read more: https://t.co/YBy3TQGTUt

— Have I Been Pwned (@haveibeenpwned) July 18, 2023

Hunt claimed that the first breach dated back to 2021 but initially the leak didn’t spread beyond “niche cheating communities” within Roblox – the popular gaming platform.  However, more recently, several comprised developers contacted Hunt, after receiving malicious phone calls.

Hunt’s tweets appear to have galvanized the gaming platform into action as it responded in statement that it has now contacted everyone affected, reportedly offering those most seriously breached a year of identity protection. [Annual ID protection plans typically cost between $150–$350 per year].

Given the commercial tie-ins to Roblox and the fact that that the platform has been mooted as a blueprint for Web3 and the metaverse, protecting online developers from cyberattacks – whether they are employees or third party – is essential, according to Oliver Green creator of autoclicker.io.

“Companies need to protect their intellectual property, data, and the integrity of their games. Data breaches in gaming can have significant impact on both users and developers.

As Roblox looks back over this affair it may see with the benefit of hindsight that it is better to be transparent and reach out to those affected immediately rather than responding via twitter three years after the event, which undoubtedly has reputational consequences.

According to Green, going forward, there are also several measures companies can take to provide their developers with optimum security.

These include security training to raise awareness of threats and best practices for data handling; securing a strong access control system to limit access to sensitive information and multifactor authentication, which should be enforced across all accounts – including those of developers.

Other precautions, added Green, include making sure sensitive data is encrypted and, if the company uses APIs in its games, ensuring they are adequately secured and have proper authentication mechanisms.

Green added: “At the very least you should use an API key (asymmetric key) or basic access authentication (user/password) to increase the difficulty of hacking your system. But you should consider using OAuth 2 as your protocol of choice for a robust security of your APIs.”