Hackers have breached more than 1,800 Roblox accounts and defaced user profiles with messages in support of Donald Trump's reelection campaign.
Users with accounts on the Roblox multiplayer game said that profile pages on the Roblox.com website for followers and people they followed were suddenly defaced over the weekend with a message that read "Ask your parents to vote for Trump this year! #MAGA2020."
The first intrusions appear to have started last week, according to messages shared on Reddit, Twitter, and Roblox fan forums.
Besides the text message in support of Trump, avatars for the hacked accounts were also modified to wear attire commonly worn by the typical Donald Trump supporter, such as a red cap and a t-shirt with an American flag and bald eagle.
Users who had their accounts hacked and disclosed the incident on Roblox forums admitted to reusing passwords across multiple online accounts or using easy-to-guess credentials.
Many also admitted to not enabling a feature called two-step verification (2SV).
Roblox uses an email-based 2SV system that requires users to enter a valid username and password, and then a one-time short-lived code that it sends to the user's email inbox.
It is currently unknown how hackers breached the accounts. Roblox has not returned a request for comment to ZDNet or other news publications.
However, with the help of threat intelligence firm KE-LA, ZDNet was able to identify multiple web pages containing large lists of Roblox usernames and cleartext passwords.
ZDNet tested tens of Roblox usernames found in these lists and found that many were among the ones defaced by hackers with pro-Trump messaging.
At this point, ZDNet can conclude that the pro-Trump hackers most likely used lists of previously compromised Roblox accounts shared online. They then gained access to accounts where 2SV was not enabled and defaced profiles with the same pro-Trump message, most likely part of an automated series of operations.
When ZDNet began looking into these hacked profiles over the weekend, there were around 750 hacked accounts. The number froze during the week at around 1,000 accounts, but new defaced accounts began appearing today.
While writing this article, the number of defaced accounts grew from 1,680 to 1,820 during one single hour.
Roblox users who believe they use a weak password are advised to change it and enable 2SV. Because Roblox is also advertised to young children, parents are also encouraged to guide and help their kids change and select a strong password and enable 2SV.