A prolific hacker has claimed to have breached the data of more than 200 million Android and iOS ... [+]
Social gaming, like most things to do with smartphones, is big business. Zynga (NASDAQ:ZNGA) is one of the more prominent players in this market sector. Online gaming revenues at Zynga were $671 million (£541 million) in 2018 and are expected to grow to $920 million (£747 million) in 2019. When one of the big social gaming players with a market capitalization of $5.499 billion (£4.468 billion) and more than a billion players gets hacked, then it's big news.
After a pretty low key September 12 disclosure from Zynga that some player account information may have been accessed illegally by "outside hackers," an investigation was started, external forensic firms called in to help and law enforcement contacted. Then things went quiet. Until now.
A cybercriminal allegedly behind the Collection #1 and Collection #2 data dumps at the start of the year, going by the name of Gnosticplayers, has now claimed to have breached the data of more than 200 million Android and iOS players of Zynga games. Here's what is known so far.
Players of which Zynga games are affected?
Zynga is home to some of the best known social games, including the likes of Farmville, Mafia Wars and Zynga Poker. However, according to the report that broke September 29 at The Hacker News, Gnosticplayers has claimed to have breached the Words With Friends player database.
The report states that the breach affects all players on both Android and iOS platforms who installed and signed up to play Words With Friends before September 3, 2019. As well as the Words With Friends data, Gnosticplayers told The Hacker News that data belonging to another Zynga game called Draw Something, along with a discontinued game called OMGPOP, was also accessed.
What Words With Friends player data has potentially been compromised?
The Hacker News has stated that it has had eyes on a data sample supplied by Gnosticplayers with the following information:
- Names
- Email addresses
- Login IDs
- Hashed (SHA1 with salt) passwords
- Password reset tokens if one had ever been requested
- Phone numbers where provided
- Facebook IDs if connected to the social media platform
- Zynga account IDs
It is further alleged that the cybercriminal also managed to access information for some 7 million players of Draw Something and OMGPOP that included clear-text passwords.
What does Zynga say about the breach?
On September 12, Zynga issued a statement that confirmed: "certain player account information may have been illegally accessed by outside hackers." At the time, it stated that no financial information was believed to have been accessed, but account login information for some players of both Words With Friends and Draw Something might have been. "As a precaution, we have taken steps to protect these users’ accounts from invalid logins," the statement read, "We plan to further notify players as the investigation proceeds."
I have contacted Zynga for a statement regarding the new developments in this case and will update the story once I hear back from the company spokesperson.
What do the security experts say?
"While a breach is always unfortunate, it is encouraging to see that Zynga had sufficient monitoring in place to detect the breach and notify its customers," said Javvad Malik, a security awareness advocate at KnowBe4. Malik wasn't so encouraged by the potential for the 7 million cleartext passwords being exposed though. "In today's day and age," he said, "no company should be storing cleartext passwords."
Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, said that "the information reportedly stolen does not give an immense 'marge de maneuver' to the attackers; however, all potential victims should remain vigilant when handling any incoming emails or messages." Kolochenko also said that it would be "premature to derive any categorical conclusion about the true origins and scope of the breach before technical investigation is over."
"This is just the latest in a string of hacks from Gnosticplayers who appears to be vying for a reputation as much as monetary gain," Max Heinemeyer, director of threat hunting at Darktrace said.
What should gamers do now?
The same advice applies as does to any data breach that your account information may have been caught up in. Firstly, if your password has not already been reset, then go and reset it as a matter of urgency. If you have used that same password elsewhere, then those account logins should also be reset. And as already stated, additional vigilance is now essential amongst all Words With Friends and Draw Something players when it comes to unsolicited emails, telephone calls or text messages. The information that has supposedly been compromised could be used in phishing attacks.
More on Forbes
Microsoft Confirms It’s Fighting Windows Zombie Attack
The Most Common And Insecure Password Revealed—It’s Not 123456 Or Admin
Personal Data Of Entire 16.6 Million Population Of Ecuador Leaked Online
Google Warns LastPass Users Were Exposed To ‘Last Password’ Credential Leak
Bought A Car Recently? 198 Million Car Buyer Records Exposed In Massive Data Leak
