The 2012 April Fools Hack was an event that took place on April 1st, 2012, that involved the compromising of the Roblox website which enabled attackers to recklessly experiment with and abuse the website’s features. It soon concluded in the website being taken offline to patch the vulnerability. While there was no actual hacking of the website, the event was widely referred to as such during and after it took place.
In 2016, Roblox reported a user had gotten access to passwords of accounts from 2012 and 2013. Roblox prompted the users who had gotten their passwords leaked in plain text to change their password.
Timeline of Events
On April 1st, 2012, an unknown user caused what would become the website's most notable "hacking". It involved the currency system and item catalogue, the use of the warning banner, and unauthorized user promotions. It is unknown how the perpetrator was able to access Roblox's administrative system. In a 2017 Reddit comment, Gordonrox24, a former moderator, noted that "It was nothing... You won't see it happen again".
The suspected precursor to the event was a forum discussion that deteriorated into an argument between Minish and Merely involving money and the economy of Roblox. It is alleged that Minish's account was taken over by the unknown user. Minish bought Merely's famous Domino Crown, which was Merely's personal favorite catalog item. The forums soon exploded with threads discussing the events. As a result, the two users were each given bans. This would also lead to Merely briefly quitting Roblox.
New Catalog Items
The perpetrator released multiple new Roblox assets during this time. He first released a new face into the catalog with the title "c:" on the official Roblox account for 1 Robuck. The only account to purchase it was Stickmasterluke, whose account was assumed compromised. The face's image asset can be retrieved from the Roblox website. Another "c:" face was made, which can also be retrieved on the website. A third face called "hai guize derp" was also released and can be accessed on the Roblox website.
Banners were added to the top of the site and frequently changed colours and displayed objectionable content. Examples include "thank you minish for messing up the economy. nub." and "always share your passwords with strangers, kids!", "Haha these are so funny let's go spam the forums about them :D", "Remember kids tell your parents to vote Ron Paul", "Yo gonna give a shout out to the homies in dah hood", "Do A Barrel roll", and "I'm the annoying orange banner. AHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAH".
Multiple users were granted large amounts of Robux throughout the event. Although most of these accounts were apparently rolled back, it is speculated that some users managed to evade losing the entirety of their newfound wealth. An example of one of these users is Misteroe, who managed to evade a ban and successfully trade away and launder an estimated 100,000 to 350,000 ROBUX. There is also some speculation that Misteroe was directly involved with the event.
It is speculated that 1dev2s account was one of the accounts that were also compromised. Many items were put into his inventory and during the event, and his avatar was changed multiple times. His account was subsequently terminated by a moderator. This ban was never revoked, but 1dev2 was possibly allowed temporary access into his account after the event, which during that time, he uncopylocked his game "Welcome to the Town of Robloxia".
After all this activity occurred, Roblox staff brought the site offline and reported that they were attempting to patch up the currency system. The website was brought back online during the late evening of April 1. The Trade Currency system and Roblox Catalog were offline until the following evening.
In a Roblox Blog post on April 2nd, it was announced that "(Roblox) experienced a site issue the evening of April 1st..., and (they) took the site offline". They noted that "Several assets were released from (the catalog) backlog that were not ready for production", and "Several accounts were incorrectly granted large amounts of Robux; some of these Robux were subsequently traded with other accounts." One confirmed user to benefit from the large influx of artificial Robux was Misteroe, although it is not clear if this is statement is directly referencing him. Some catalog and currency transactions were audited and rollbacked, and they estimated the rollbacks occurred in fever than 0.01% of Roblox accounts. Some items were updated with new pricing, while other items were taken off-sale. The "c:" face was changed to "Dr. Smyth Face" and was temporarily available for purchase.
- ↑ (2017). What was the April Fool's Hack of 2012?. Retrieved from https://www.reddit.com/r/roblox/comments/7irz8i/what_was_the_april_fools_hack_of_2012/
- ↑ David Baszucki. (2012). Site Issue Resolved. Roblox Blog. Retrieved from https://blog.roblox.com/2012/04/site-issue-resolved/