Roblox accused of putting 100 million players at risk of data theft

Roblox
(Image credit: Roblox)

Researchers have claimed that popular online game Roblox suffers from a series of security vulnerabilities that could have compromised the data of more than 100 million players, many of whom are children.

According to a report from CyberNews, Roblox is guilty of a number of “glaring” lapses in security, specifically relating to the Android application.

However, Roblox has denied the claims, stating that the research was based on inactive code and that the vulnerabilities weren't serious at all.

A Roblox spokesperson told TechRadar Pro: “We take all reports seriously, and immediately investigated when first approached by the researcher in March. Our investigation determined there is no correlation between these claims and real risk to users’ data privacy."

"One claim was inaccurate and the other three pertained to inactive code not used on the Roblox platform. Regardless, we deleted the inactive code as part of our commitment to the security and the safety of our users.”

Roblox security issues?

The CyberNews report alleges that the app exposed user data via four separate avenues: through misconfigurations in the Roblox Android manifest file, inadequate hashing algorithms, susceptibility to the Janus vulnerability and hardcoded API keys.

Together, these issues supposedly earned the Roblox Android app a remarkably low 10/100 score as per the Mobile Security Framework, a common test used to assess the security performance of mobile apps.

Although CyberNews acknowledged that some of the security holes have been patched in the latest versions, the researchers believe “the threat to player security is very real” and that user data such as names and email addresses could be compromised with relative ease. 

Roblox

(Image credit: Roblox)

While security issues are cause for concern in any context, this is particularly true in the case of Roblox, which is played predominantly by children between the ages of 9 and 15.

Many data protection regulations worldwide, including GDPR, contain specific provisions intended to enhance the protection of children’s personal data, which means companies such as Roblox are required to go the extra mile to shield data from attack.

What’s more, according to CyberNews, the volume of microtransactions that take place on the Roblox platform, coupled with the number of young users, makes the game an ideal target for cybercriminals.

In a statement shared with media, CyberNews expresses disappointment with the shoddiness of Roblox’s security practices, but also with the company’s sluggish response. The researchers claim to have contacted Roblox on multiple occasions to warn the company of the vulnerabilities, but supposedly received no response.

“It’s worrying to see a company with decades of development experience, millions of customers and the budget to match, following such security practices,” said Mantas Sasnauskas, Senior Researcher at CyberNews.

“We’re calling on Roblox to address the platform’s security risks as a top priority - these security and privacy practices should be much more rigorous and looked at more thoroughly, especially for a game that has hundreds of millions of users.”

Update:
CyberNews has since provided TechRadar Pro with the following statement:

"We are glad that Roblox decided to delete the part of code, which, according to them, was inactive, and addressed three of the issues we raised. We think this is a great reaction from Roblox side because it will be beneficial to users. And it is a good practice not to keep a redundant piece of code in production. Otherwise, it can cause not only performance issues, but issues of privacy and security as well, or it can even be used by bad actors."

Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.

Read more
A white padlock on a dark digital background.
GitHub is hiding malware disguised as games, legitimate software
Illustration of a thief escaping with a white fingerprint
5 massive privacy scandals that rocked the world – and made millions of victims
API
Businesses are being plagued by API security risks - with nearly 99% affected
A laptop with digitally inserted hack warnings around it
Is DeepSeek AI safe to use? Think twice before you download DeepSeek for the time being
Classroom
Schools are facing greater cybersecurity threats than ever before
malware
Valve advises full system reset if you've downloaded this Steam game containing malware
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 16 (game #1147)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 16 (game #378)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 16 (game #644)
Three iPhone 16 handsets on show
Apple could launch an iPhone 17 Ultra this year – but we've heard these rumors before
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough