My son and daughter both play Roblox. It is a sort of easy development framework that allows people to build multiplayer games, which they can share with other players. It caters for both kids and adults.
I only allow my 6 year old daughter to play as a guest. My son has an account, but has strict rules on friend requests and chatting.
While we were sleeping this morning someone accessed his account, and the following occurred:
. His password was reset
. His birthdate was changed to make him older
. The account email was changed, although this did not stick
. Any active games he had created were inactivated
. A new game was created
. 50 random people were sent messages from his account, inviting them to the new game
. Advertising for the new game was created and paid for
. A small level of resource trading was done
A couple hours later when I woke up I noticed the Roblox account warning emails, and was able to force another password change. After gaining access to the account I ensured all other session logins were invalidated, and set about reversing everything I could. I then sent a message to Roblox, and to my complete surprised had responses within a couple of hours.
I am not sure how his account was hacked / exploited. In this case his most recent password had only been used for the last 10 days. I expect he has played some compromised game – like whatever was created on his account. He might also have been tricked into clicking on a link or something in one of the game chats. He assured me he didn’t, but the reason the password had been changed recently was I had locked him out of the game for a month after catching him chatting. (While he was only trying to help someone, the rule is he isn’t allowed to unless my wife or I are watching.)
(The virus scan on his laptop was also clear. I can’t imagine anyone would directly hack / compromise his laptop over a game like that, but checked anyway.)
The whole thing has taken a couple hours out of my day and was drama I could do without. It was a reminder though on just how easy this sort of thing can happen.
One of my RL friends clicked on a link in EVE (it was in a series of joke images), and within 24 hours had lost access to his account, had everything sold off, and the ISK transferred away. He removed the key logger which had been installed on his desktop, got the account back after a week or so of emails to support, and got part of his wealth returned. It was the beginning of the end though. He lost that level of trust needed to invest in EVE, knowing how easy it was to have it stolen from him. He now no longer plays.
This sort of account hacking causes all sorts of hurt.