Zynga hack led to data disclosure of 218M "Words with Friends" players

New data breach disclosed: a serial hacker Gnosticplayers snatched data from 218 million “Words with Friends” gamers

Zynga data breachZynga data breach: 218 million users who played Words with Friends got their information stolen by the notorious Gnosticplayers hacker

Zynga Inc., one of the most successful online game developers, responsible for such titles like FarmVille,[1] Words with Friends, Cafe World, CSR Racing, and many others, got hacked. According to The Hacker News,[2] the new data breach was successfully performed by notorious Pakistani hacker “Gnosticplayers,” who previously sold five batches of stolen user data from various sites,[3] a total of which consisted of almost 1 billion records.

The serial hacker managed to get into the database of 218 million records of a mega-popular “Words with Friends” social game and stole such user data like names, Sha-1 hashed passwords, login IDs, email addresses, Zynga account ID and few other information that gamers could opt to enter optionally.

On 12th of September, Zynga admitted the hack, and claimed that only account login information was illegally accessed by “outside hackers”:[4]

Cyber attacks are one of the unfortunate realities of doing business today. We recently discovered that certain player account information may have been illegally accessed by outside hackers. An investigation was immediately commenced, leading third-party forensics firms were retained to assist, and we have contacted law enforcement.

Zynga is one of the leading gaming firms in the world that focuses on interactive social media and mobile device games, which is available in 150 countries for more than a billion users. Found in 2007, the company employs 1,777 employees and has a net worth of around $5,5 billion.[5]

7 million Zynga game users got their passwords in plain text stolen

The Hacker News managed to contact Gnosticplayers and get more insights regarding the breach. He said that 218 million records that were stolen belonged to those users who registered to the Words with Friends game up to September 2019. Additionally, the hacker claimed that this is not the only game that he managed to access, as some data from games like Draw Something and the OMGPOP was also accessed, and exposed plain text passwords of 7 million gamers.

In the meantime, Zynga said that the investigation is still ongoing, and no further announcements since the initial one were made:

While the investigation is ongoing, we do not believe any financial information was accessed. However, we have identified account login information for certain players of Draw Something and Words With Friends that may have been accessed. As a precaution, we have taken steps to protect these users’ accounts from invalid logins. We plan to further notify players as the investigation proceeds.

What to do if you were playing Zinga games and entered your account

As mentioned, only users who installed and registered to Words with Friends on and before September 2nd were affected. Thus, if you are among just recently registered players, you should not be worried. Nevertheless, there are several groups of people who should be worried about this breach and immediately take actions in order to negate the consequences.

Most of the users who played Draw Something or Words with Friends will be prompted to change their passwords upon next login. However, because Facebook IDs, phone numbers, and password reset tokens were also affected (if provided), users should immediately take care of securing their phones as well as social media accounts. You will find all the relevant information on how to secure all the related accounts here.

Please be aware that those who reuse passwords for other accounts also risk of those account compromise. Therefore, it is vital to make sure that your passwords are never reused for anything. The best thing to do would be to employ a password managing app and enable two-factor authentication.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References
Files
Software
Compare