Someone Got Into My Roblox Account: What to Do Right Now (Parent's Step-by-Step Recovery Guide)

Someone got into my Roblox account, what do I do — that question usually arrives at 9 PM with a crying kid, a missing 800 Robux balance, and a display name nobody recognizes. The next thirty minutes matter more than the next thirty days. This guide is built for the parent sitting next to the panicked child: a five-minute triage to stop the bleeding, a confirmed-compromise checklist so you do not waste a support ticket on a forgotten password, the exact recovery sequence in the right order, a fallback path for when the hacker swapped the recovery email, and an honest answer about what Roblox will and will not refund. Then we cover how the lure almost certainly arrived — and how to catch the next one before it lands. For a different parent-recovery scenario, find a deleted YouTube video walks that playbook.

First 5 Minutes: What to Do Right Now Before Anything Else

Stop, breathe, and confirm this is actually a compromise — not a forgotten password and not a glitch. A real takeover usually shows at least one of these signs in the first minute of looking:

• a Robux balance that is suddenly lower than it was last night, or a spending alert nobody recognizes
• a display name, avatar, or profile bio that has been changed
• a login alert email from Roblox flagging a new device or country

Once you have a real signal, switch devices. If the child was playing on a tablet or PC that might be infected with a cookie-stealer or browser extension, do not attempt the password reset from that same machine — use the parent's phone or a clean computer instead.

Ignore anyone messaging the account right now. The “friend” offering to help recover it, the Discord user claiming to be Roblox staff, the YouTuber DMing a “recovery method” — every one of them is part of the same scam economy. Do not reply, do not click, do not screenshot and send back.

Keep the child in the room. They probably know the email address the account uses, the password to that email, the answer to a security question, and the last website or Discord server they visited before the account broke. You need that information in the next ten minutes — interrogating later costs hours.

Signs Your Child's Roblox Account Was Actually Hacked

Plenty of “hacks” turn out to be a sibling who guessed the password, a forgotten capital letter, or a Roblox service hiccup. Before opening a support ticket, confirm the pattern. A real compromise usually shows at least two of these signs together:

• Missing Robux or unexplained spending. The balance dropped, or the transaction history shows purchases the child did not make.
• Items gifted, traded, or sold to strangers. Limited items moved to an account nobody knows, or inventory items are simply gone.
• Profile changes the child did not make. Display name, avatar outfit, profile description, or even the account email has changed.
• Login alerts from unfamiliar locations. The Roblox security email — or the session history under account settings — shows a device, browser, or country the family has never used.
• Friends list or DMs the child did not touch. Strangers suddenly added, real friends removed, or messages sent from the account that the child clearly did not write.

If only one of these matches and the password still works, try a normal password reset first — it might just be a forgotten password rather than a compromise. If two or more match, treat it as a real takeover and move into the recovery sequence below. The faster you act, the more likely Roblox can reverse trades or restore limited items before the 3-day trade hold expires and the hacker offloads everything to a clean account.

Before You Reset: Gather What Roblox Support Will Ask For

Most parents skip this step and regret it three days later when a support ticket comes back asking for proof of ownership they could have gathered in five minutes. Before you reset anything, pull together a proof-of-ownership pack:

• Purchase receipts. Any Robux purchase email from Apple, Google Play, the Microsoft Store, or roblox.com — including gift card redemption confirmations. Search the family inbox for “Roblox” and save every receipt with a date and an order number.
• Account creation date and prior usernames. Roblox stores this in account settings, but if you cannot get in, an old screenshot or your child's memory of “I made it the summer of …” will help.
• Original signup email and every email ever attached. If the account was migrated between emails, list all of them. The support team will cross-check.
• Approximate Robux balance and known friends. A rough number from last week, the names of three or four close in-game friends, recent purchases the child remembers — anything that demonstrates the legitimate owner is asking.
• Screenshots of the takeover. Hacker DMs, suspicious trades, the changed profile, the login alert email. Take these now before the attacker deletes messages or you lose access to the inbox entirely.

Keep all of this in a single folder or note on your phone. When you eventually open a support ticket — which often happens later in this process — pasting one organized pack is the difference between a 48-hour resolution and a two-week back-and-forth.

The 4-Step Recovery Sequence (If You Can Still Log In or Reset)

If the password reset email still arrives at an inbox you control, run these four steps in this exact order. Doing them out of order will undo previous steps — for example, signing out of other sessions before changing the password lets the attacker sign right back in.

1. Reset the password from a clean device. Open roblox.com on the parent's phone or a clean computer, click Forgot Password, and use the email reset link. Pick a brand new password that is not used on any other site — at least 12 characters with mixed case, numbers, and a symbol.
2. Turn on 2-Step Verification with an authenticator app. In Account Settings → Security, enable 2-Step Verification. Choose the Authenticator option (Google Authenticator, Authy, or Microsoft Authenticator) rather than SMS — SIM-swap attacks and shared phone access make SMS the weaker option for kids.
3. Sign out of all other active sessions. Still in Account Security, look for the option that lists current sessions and end them. This kicks the attacker out of any browser, app, or device where they were still logged in. If you skip this step, the new password does not lock them out — they keep the session cookie.
4. Run a full virus and malware scan. On the device the child was using, run the built-in defender (Windows Security, macOS XProtect) and a reputable second-opinion scanner. Pay particular attention to browser extensions, sketchy free games, and “cheat menus” installed in the last 30 days. A cookie-stealer on the original device will re-compromise the account within hours otherwise.

Finally, set a parent-controlled Account PIN under Settings → Security. The PIN locks settings changes — including disabling 2-Step Verification — behind a 4-digit code only you know. This is the single setting that stops a future re-compromise from quietly undoing every step above.

Locked Out: When the Hacker Changed the Email or Password

If the attacker already swapped the recovery email or phone number, the self-serve reset path is broken. You now need Roblox's account-recovery team. Go to roblox.com/support on a desktop browser and submit a request:

• Pick the category “Account and Login Issues” (or whichever current label matches account recovery), and clearly state in the first line: “Account has been compromised — recovery email has been changed.”
• Paste the proof-of-ownership pack you gathered above. The more specific the receipts, dates, prior usernames, and screenshots, the faster the team can verify and restore.
• Submit one ticket and wait. Standard response is typically a few business days, longer during weekends and holidays. Opening duplicate tickets pushes you to the back of the queue and slows everything down — resist the temptation.
• If the account was deleted or banned during the takeover (a common attacker move to cover tracks), say so in the ticket. Recovery is often still possible because Roblox keeps account data after deletion for a window of time, but it has to be requested explicitly.

Do not, under any circumstance, pay a “Roblox account recovery service” advertised on YouTube, TikTok, Discord, or Telegram. Every one of them is a scam — either they ghost after payment, or they ask for the very credentials they claim to be recovering and use them to lock you out of whatever account you do still have. Roblox support is free. There is no legitimate third-party that can recover a Roblox account, because nobody outside Roblox has the database access required to do it.

Can You Get the Robux, Items, or Trades Back?

Set expectations honestly, especially before the child asks. Roblox can sometimes restore items and reverse unauthorized trades, but Robux that has already been spent is generally gone.

What is typically recoverable:

• Limited items moved out via trade — if the trade is still inside the 3-day trade hold window, Roblox can often reverse it when you flag it via support. Outside the hold window, recovery drops sharply.
• Items sold to the catalog or deleted — sometimes restorable case-by-case if you can prove ownership and the action was clearly unauthorized.

What is generally not recoverable:

• Robux that was spent. Once the attacker bought Robux items, gifts, or game passes, that currency is considered consumed. Refunds are rare and reserved for clear billing fraud.
• Robux gifted to another account. Treated similarly to spent Robux.

When you file the support ticket, include exact timestamps of the suspicious trades and transactions, screenshots of the trade window if you have them, and the usernames of any accounts that received items. Acting quickly matters — the 3-day trade hold is the single most important window. After that, the items have usually been re-traded into a clean account and tracing them becomes much harder. Tell the child the truth: limited items might come back, spent Robux probably will not, and the priority right now is the account itself, not the inventory.

How They Probably Got In: The Real Attack Vectors Kids Fall For

Before the follow-up conversation, you need to know which trapdoor the attacker used. Roblox account compromises almost never come from someone “hacking Roblox” — they come from the child handing over the credentials, usually without realizing it. The common routes:

• Fake “free Robux” generator sites. A site that promises 10,000 free Robux in exchange for a username and password. There is no such thing as a Robux generator. Every site that claims to be one is a credential harvester.
• Phishing links in Discord, Snapchat, or in-experience chat. A “friend” or stranger sends a link that opens a page styled to look exactly like the Roblox login screen. The child logs in, the credentials go to the attacker, the page redirects to the real Roblox so nothing looks wrong.
• Trade-scam lookalike sites. A “trader” offers a rare item if the child logs in on a third-party trading site to confirm inventory. The site captures the password.
• Shared passwords with real-life friends. The child told their best friend the password “just so they could play once.” The best friend told their cousin. The cousin sold it to someone in a Discord server.
• Reused passwords. The same password the child uses on Roblox is the password they used on a random game forum that got breached two years ago. Credential-stuffing bots do the rest.
• Browser extensions and pirated game cheats. Cookie-stealer extensions, fake aimbot installers, and “free script executor” downloads silently exfiltrate the Roblox session cookie — no password needed.

Knowing which one it was is the entire purpose of the follow-up conversation. The fix is different for each. The NexSpy walkthrough covers the early-warning layer that catches the second phishing attempt before another account falls.

Catch the Next Attempt Early: Ongoing Supervision with NexSpy

The fastest way to never run this recovery again is to see the lure the moment it arrives — not days later when the Robux is gone. NexSpy is built around the apps where those messages actually land, with privacy-by-design alerts instead of indiscriminate chat reading.

See the lure where it actually arrives

NexSpy provides social content monitoring on Android across the 14 platforms where “free Robux” DMs, fake giveaway threads, and trade-scam links really get sent:

• TikTok, YouTube, Instagram, WhatsApp, Facebook
• Snapchat, Messenger, Discord, X, LINE
• Google Chat, Telegram, Reddit, and Kik

If your child plays Roblox, the phishing usually hops in from Discord servers, Snapchat group DMs, or a TikTok comment promising a generator. NexSpy watches the inbox of all of them on Android in one place, so the lure does not slip past you because it arrived on a platform you do not personally use.

Custom keywords for the scam vocabulary that targets Roblox kids

The Roblox scam dictionary is small and predictable. NexSpy custom keyword alerts let you flag the exact phrases:

• “free robux”
• “robux generator”
• “trade my account”
• “discord trade”
• “rare item giveaway”

Custom keyword lists support multiple languages, including Vietnamese, so if your household chats in Spanish, Portuguese, or another non-English language, the same alerts fire on native-language lures. Beyond your custom list, NexSpy ships four pre-built risk categories — cyberbullying, adult content, mental health, and custom keywords — so the obvious red flags are covered without you having to think of every phrase.

Privacy-by-design alerts and image lures

When a keyword fires, NexSpy surfaces only the text snippet that triggered it — not the entire chat. You get the context you need to act, the child keeps the privacy of conversations that did not raise a flag, and supervision stays inside parental safety rather than indiscriminate reading.

For lures that arrive as an image instead of text — a screenshot of a fake login page, a “scan this QR for free Robux” graphic — NexSpy's Inappropriate Image Detection scans the entire photo gallery using a machine-learning NSFW model on both Android and iOS. That catches the visual side of the same scam pipeline.

Real-time alerts mean a parent sees a “free robux click here” DM the moment it lands, not days later after the account is drained. That is the difference between a five-minute conversation and another recovery weekend.

This matters most in the weeks right after a Roblox compromise. The kid who fell for a free Robux link last week is on the same platforms tomorrow, and the scammers who got in once know it. The lure for round two will arrive on Discord or Snapchat within days. The job is to make sure that DM does not sit unread in a parent's blind spot for a week — that the alert lands the same hour the message does, while the child can still be talked out of clicking.

Honest limits: full text-side social content monitoring is Android only. On iOS, coverage is limited to Inappropriate Image Detection and notification-level signals where Apple permits. No keyword or AI detection is 100 percent accurate, and the design priority is minimizing false positives — meaningful alerts that a parent will actually read, rather than constant noise that gets muted.

The Conversation to Have After Recovery

The talk is more important than the password. Lead with calm or the child will hide the part you most need to hear.

• Open with “I'm not mad, I need to understand.” The goal of the conversation is not punishment, it is finding out exactly which site, DM, or person the password reached. If the child thinks they are in trouble, they will give you a vague answer and you will fix the wrong hole.
• Ask which site, link, or friend. “Was it a generator site? A Discord DM? A friend at school?” The answer drives the prevention plan — a generator site means a malware scan and a browser cleanup, a Discord DM means tightening who can message the account, a real-life friend means a conversation about why passwords are never shared, ever.
• Agree on a new password the child will not share — with anyone. Not the best friend, not the cousin, not the kid who “lets them play their account too.” Write it down somewhere physical that only the parent has.
• Explain free Robux in one sentence. “Roblox is the only place that can make Robux. Anyone offering you free Robux is lying — every single time.” Repeat it until they can finish the sentence themselves.
• Be clear about supervision going forward. Tell the child exactly what parent supervision sees — alerts on risky words, not every message — and what it does not see. Honesty here keeps the trust intact.

Lock It Down: Prevention Settings to Turn On Today

Before you close the laptop, run this 10-minute checklist:

1. Strong unique password. Generated by a password manager if possible, not reused on any other site or game. Long beats clever — a 16-character passphrase is stronger than “Pa$$w0rd!” and easier to remember.
2. 2-Step Verification via authenticator app. Authenticator apps beat SMS for kids' accounts because SMS codes can be read off a shared family phone or intercepted via SIM swap.
3. Account PIN set by the parent. Locks settings changes — including disabling 2SV — behind a 4-digit code the child does not know. This is the silent safety net.
4. Account Restrictions mode for younger kids. Under Settings → Parental Controls, Account Restrictions limits chat and content to a curated, age-appropriate set. Ideal for under-13s.
5. Parent email as the recovery email. Use a parent-controlled inbox as the recovery address. If a future takeover attempt swaps the email, the alert goes to you, not the kid.

Set a 30-day calendar reminder to check session history, review purchase emails, and make sure 2SV is still on. Re-compromise within a few months is common when the original malware vector was never cleaned up.