My Teen's Roblox Account Got Hacked — Recovery Steps (2026 Parent Guide)

In April 2026, security researchers reported that hundreds of thousands of Roblox accounts had been stolen through a combination of credential-stealer malware, phishing pages disguised as trading sites, and a social-engineering pattern teens call beaming — getting an in-game friend to share their screen, then triggering a trade window while they click through settings.

For families, the loss is rarely the account itself. It is the inventory: limited items, rare collectibles, the Dominus your teen saved birthday money for, the Robux balance that took six months to build. Hundreds of dollars of real value, often. And the recovery rules are stricter than parents expect.

Here is the 30-minute plan, the 30-day window, and what works after.

Step 1: Lock the email first, not the Roblox account

Most parents get this order wrong. The instinct is to log into Roblox, change the password, and breathe. That order fails when the attacker already swapped the account email, which is the most common second move after stealing a Roblox password.

Start with the email that is registered to the Roblox account.

1. From a different device — your phone, a family laptop — sign into the email account associated with Roblox
2. Change the email password immediately. Use a password your teen has never used anywhere else
3. Enable 2-factor authentication on the email if it is not already on. Authenticator app, not SMS
4. Check forwarding and filter rules. A common attacker move is to add a filter that auto-forwards or auto-deletes anything from [email protected]. Remove any rule your teen did not create
5. Review recent sign-in activity in the email's security settings. If you see logins from unfamiliar locations, sign them out

Once the email is back under your control, every other account that uses it becomes recoverable. If you skip this step and the attacker still owns the email, every password reset you trigger goes straight to them.

Step 2: Reset the Roblox password from the secured device

Now — and only now — touch Roblox.

• From the parent device, go to roblox.com/login and click "Forgot Password or Username?"
• Enter the email address registered to the account
• If the reset email arrives within 5 minutes, you are still on the easy path. Reset the password to something the teen has never used elsewhere, and continue to Step 3
• If the reset email never arrives, the attacker has already swapped the account email — skip to Step 5

Step 3: Lock the door behind you — sessions, 2FA, Account PIN

Changing the password alone does not log out an attacker who is already inside. They keep their session token until you explicitly invalidate it. Three controls, in this exact order:

1. Sign out of all sessions. Settings → Security → "Log out of all other sessions." Anyone signed in from another device gets kicked out at that moment
2. Enable 2-Step Verification with an authenticator app (Authy, Google Authenticator). Roblox supports authenticator app, email, and security keys — authenticator app is the recommended choice. SMS is the weakest of these and can be defeated by SIM-swap attacks
3. Enable the Account PIN. Settings → Security → Account PIN. A separate 4-digit code is then required to change account settings, even after a password is entered. The Account PIN blocks the second wave of an attack even if the password leaks again

Step 4: Inventory the damage and preserve evidence

Before opening a support ticket, document what is missing. The Roblox support team will ask for this, and the more specific you are in the first ticket, the faster the response.

• List the missing items by name. Limited items, rare collectibles, hats, accessories — the exact item names matter
• Robux balance before vs. after. If you have a screenshot or a memory of roughly when the balance dropped, note it
• Trade history. Settings → Trades → Completed shows what was sent and received. The dates and counterparties become evidence
• Chat logs. If a "friend" account ran a beaming attack, screenshot the Discord or in-game chat where they asked to screen-share or trade. Save before you block
• Login history. Settings → Security → Sessions. Note any unfamiliar device or location and timestamp

Step 5: Open a Roblox support ticket — the 30-day window

Most parents skip this step or do it too late. Roblox's official policy on hacked accounts is published at en.help.roblox.com: they "may be able to" restore inventory in "very limited circumstances" for compromised accounts that contact support within 30 days of the compromise.

The clock starts at the date the items left the account, not the date you discovered the loss. If you find out on day 28, do not wait until you have a "complete" ticket — submit immediately and supplement after.

Go to roblox.com/support:

1. Select Account / Security → Account Hacked
2. Provide the username exactly as it appears (case-sensitive)
3. Provide the original email address registered to the account at creation, even if it has since been changed
4. List the missing items with approximate dates of loss
5. Attach proof of ownership: original purchase receipts for Robux, transaction IDs from your card statement, or App Store / Google Play purchase history. Receipts are the single strongest evidence of ownership
6. Note the date of compromise and how it happened (beaming, phishing site, malware) — specificity helps

Items that have already been re-traded multiple times across other accounts are usually unrecoverable. Robux balances laundered through Developer Exchange or third-party marketplaces are almost never restored. The realistic goal is the items that have not yet moved. Speed matters most. Common Sense Media's parent guide to Roblox covers the platform's safety controls in more depth, including parental account-link options that prevent settings changes without parent approval.

Step 6: Clean the device, not just the account

If the compromise came through a "Robux generator," a "trainer," a fake trading site, or a sideloaded browser extension, the device itself is potentially infected. Changing the password while the credential-stealer is still running on the laptop just hands the new password to the same attacker.

1. Run a full antivirus scan. On Windows, Microsoft Defender Offline scan catches most credential-stealers. On Mac, Malwarebytes Free is the standard second-opinion tool. On Android, Malwarebytes or Bitdefender Mobile
2. Remove unfamiliar browser extensions. Chrome, Edge, and Safari all let you sort by date added — remove anything that appeared on or near the day of the compromise
3. Check for unfamiliar profiles on iOS. Settings → General → VPN & Device Management. Any management profile your teen does not recognize should be removed
4. Factory-reset if anything serious is found. A reset is faster and more reliable than surgical malware removal. Cloud backup will restore apps and photos
5. After the device is clean, change the Roblox password again from that device, since the previous reset may have happened on an infected machine

Step 7: Block the attacker, warn the friend graph

If a known "friend" account ran a beaming attack, the friend's account is almost certainly compromised too. The same attacker will cycle through their friend list within hours, using the same trust pattern that worked on your teen.

• Save chat logs first, then block on Roblox and on Discord
• Warn mutual friends through a different platform — iMessage, SMS, in person at school. Do not warn through the compromised friend's chat — that just tells the attacker you are aware
• Tell the friend's parent if you know them. The friend account is often a victim, not a co-conspirator. Their kid is going through the same recovery you are, often without knowing
• Report the attacker's account to Roblox via the in-app report function. This does not recover items but it adds to the platform's case for banning the account

Step 8: The conversation that decides whether your teen tells you next time

Most parents skip or rush this step. The conversation determines whether your teen brings the next incident to you, and there will be a next time, because the scams keep evolving.

• Lead with "I'm not mad." And mean it. The beaming pattern was engineered by someone who does this for money against teenagers, full-time. Your 14-year-old lost a fight that adults lose too
• Split the conversation in two. The technical recovery happens now, together. The "how do we prevent the next one" talk happens 24-48 hours later, when the emotional weight has settled
• Name the tactic, not the teen. "That's a classic beaming pattern — they spent four months building trust just to get the screen-share moment" is useful. "You should have known not to trust them" is not. The first reframes the attacker as the criminal. The second reframes your teen as the failure
• Skip "I told you so." Teens who get punished for being scammed hide the next one, and hidden incidents escalate. The pipeline from "lost Roblox items at 14" to "didn't tell parents about a sextortion threat at 15" runs through this conversation
• Ask what signal would have helped. Not "how did you miss it?" Instead: "Looking at it now, what's the one moment that, if you had hesitated for ten seconds, would have changed how this went?" Teens who can identify their own pattern-break cue are the ones who catch it next time

Why teens fall for beaming — and why "trust your friends" makes it worse

Beaming attacks exploit the social trust teens build over months, not the technical defenses they have for one-off strangers. The classic pattern is a four-month gaming friendship: same squad every night, inside jokes, voice chat until 2 AM. Then, one Tuesday: "yo can I screen share for a sec, I wanna compare collections."

Generic safety rules like "don't trust strangers online" do not fire here. By the time the attack runs, the attacker is not a stranger anymore. The teen has good evidence to trust them. A safety frame like "this person could be lying" feels insulting to the four-month relationship.

Move the rule from who to what: regardless of how trusted a person is, three actions stay off-limits. No screen sharing while logged into a game account. No typing a password into a link someone sent. No accepting a trade window that appears during a settings click. Rules about the action keep the friendship intact and still protect the account. Stanford Internet Observatory's research on teen credential theft shows the pattern recurs across platforms because the trust gradient is the actual exploit, not the platform interface.

How to prevent the next one — pattern recognition, not lectures

Five concrete things, in priority order. Each one is more effective than a longer lecture about online safety.

• Authenticator-app 2FA on Roblox. Not SMS — SIM-swap attacks defeat SMS. Authy or Google Authenticator. Set up the parent's phone as a recovery factor too
• Account PIN enabled. Blocks settings changes even if someone has the password. Most parents do not know this exists
• One absolute rule on credentials. "Passwords and verification codes are typed into the bookmarked roblox.com URL or the official app — never into a link someone sent." One absolute rule beats a list of heuristics that fire under pressure
• One absolute rule on screen sharing. "Account is logged out before any screen share, every time." This single rule prevents the most common 2026 beaming pattern. Screenshots can replace screen-share in 95% of "let me see your inventory" requests
• Password manager installed. Bitwarden (free) or 1Password Family. The manager will not autofill on the wrong URL — which means a phishing page that looks identical to roblox.com just sits there, blank, and the teen notices

Rules teens heard in a lecture do not fire when a four-month friend asks for a screen share at 11 PM. Rules they practiced in a realistic simulation do.