Hackers have stolen data from RBX.Place, a grey marketplace where players of the massively popular online game Roblox can sell in-game items for real money, according to the database obtained by Motherboard.
The data includes email addresses, transactions, hashed passwords, and other personal information.
Roblox is available on Xbox, PC, and mobile devices. Players can make their own games using the platform's engine or play other peoples' creations, and are able to purchase in-game items too. RBX.Place is a site independent of Roblox itself, where users can then sell in-game items and be paid in fiat currency.
Do you work at Roblox, or have any insight into how users make money on sites like RBX.Place? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Multiple current and former members of the Roblox community said that some hackers break into Roblox accounts, take their items, and then sell those items for cash on RBX.Place. Motherboard granted them anonymity to speak more candidly about criminal practices.
Two people included in the data confirmed to Motherboard that their information in the hacked RBX.Place database was accurate. The data also includes applications people made to become sellers on the site, Discord handles, Skype usernames, and IP addresses.
The passwords are hashed, which is a process that turns the password into a string of characters that the website stores instead of the plaintext password itself, along with a salt, a random string of characters designed to make the hash more resilient to cracking.
The hacker who provided the database to Motherboard is the same hacker who previously bribed a Roblox insider to access user data. They said they in turn obtained the RBX.Place data from someone else who compromised the site.
"Roblox would have a field day with this database because USD selling ain't allowed anyway," the hacker told Motherboard in an online chat. The data appears to date from 2018.
Motherboard contacted a RBX.Place staff member in an attempt to obtain comment from the website. That staff member directed Motherboard to the website's owner; Motherboard could not reach the owner for comment.
Subscribe to our cybersecurity podcast, CYBER.