Megalithic game-thing Roblox doesn’t exactly have the best of reputations. Accusations of exploitation of children’s labor are hardly a good look, and this week also saw staff reporting that there has been little effort to address the lack of diversity at the studio. On top of all that, today it’s been revealed that a data leak from the company saw 4,000 developers’ personal, identifiable information go public.
As reported by PC Gamer, the list of names, email addresses, dates of birth, and physical addresses contains information on those who attended the Roblox Developer Conferences between 2017 and 2020. That’s the kind of information you can use to steal an identity. Oh, and it also included their t-shirt sizes.
The leak itself dates back to December 2020, but it remained unnoticed and unreported until this week. Troy Hunt, the creator of the Have I Been Pwned website that allows people to search to see if their details have been part of a leak, tweeted asking if anyone else had seen people discussing the situation, bringing it to wider attention.
According to Have I Been Pwned, the leak was posted in “niche communities” in 2021, but despite this, Roblox did not let anyone know it had happened, least of all those affected. It then went far more public this week.
In a statement given to PC Gamer, a Roblox representative acknowledged the “third-party security issue,” describing the leak as “unauthorized access to limited personal information of a subset of our creator community.” These are astoundingly diminishing terms for what is clearly incredibly detailed information about 3,943 individuals. But it’s fine because the company “engaged independent experts to support the investigation led by our information security team,” and add it will “continue to be vigilant in monitoring and vetting the cyber security posture of Roblox and our third-party vendors.” The company also said it contacted those affected to “communicate the next steps we are taking to support them.”
Given the lack of information on the investigation, its pledge to “continue to be vigilant” doesn’t currently hold an enormous amount of promise. We’ve contacted Roblox to ask why such data was being stored in this way and for more details on how it intends to support those affected. According to PCG and Troy Hunt, many received “a sorry email,” while others were offered “a year of identity protection.” Which, you know, doesn’t seem quite enough.
This all happens in the same week that Bloomberg reports staff are increasingly frustrated at Roblox’s failure to address woeful diversity within the company, with incredibly few women in senior positions. The company also told Bloomberg it has “no targets around hiring or promoting diverse employees.”
Plus, it’s important to never forget that the wider Roblox environment is deeply troubling for parents of the young children to whom the software is pitched, as exquisitely chronicled by People Make Games. Seriously, don’t let your kids near it if you haven’t watched this, or its follow-up: