Hackers steal 46 million Animal Jam user accounts and passwords

Not long after cyber criminals hacked gaming giant Activision and stole over half a million user accounts, a prolific hacker has reportedly stolen over 46 million user accounts associated with popular children's online playground Animal Jam, indicating the magnitude of the threat faced by gaming companies online.

The massive theft of approximately 46 million user account records by a cyber criminal was announced earlier this week by WildWorks, the company behind Animal Jam, who said the theft was carried out by hackers who launched a cyber attack on a vendor-owned server that was used for intra-company communication.

The stolen user account records were stored in a database within the vendor-owned server and a subset of the records included "the email addresses of the parents managing the player accounts and other data that could be used to identify the parents of Animal Jam players," WildWorks said.

According to the gaming giant, which also offers popular online games such as AJ Classic, Tag with Ryan, and Dash Tag, the cyber attack resulted in the compromise of the following information:

  • Email addresses used to create approximately 7 million Animal Jam and Animal Jam Classic parent accounts
  • Approximately 32 million player usernames associated with these parent accounts
  • Passwords associated with those user accounts, but in encrypted form
  • 14.8M records include the birth year the player entered at account creation
  • 23.9M records include the gender the player entered at account creation
  • 5.7M accounts include the full birthday the player entered at account registration
  • 12,653 of the parent accounts include a parent’s full name and billing address (but no other billing info)
  • 16,131 of the parent accounts include a parent’s first and last name, without a billing address

WildWorks said the data breach most probably occurred between 10th and 12th October but the company came to know about the incident this Wednesday after security researchers found the stolen Animal Jam data when monitoring raidforums.com, a public hacker forum.

The company said the compromised data includes a subset of accounts created in Animal Jam and Animal Jam Classic over the past 10 years and even though the passwords are encrypted, hackers can still guess user passwords if users have selected weak or easily guessable passwords.

"As a precaution, we are forcing ALL players to change their passwords immediately to ensure the security of their accounts. We urge Jammers to choose a new password that is at least 8 characters long and incorporates a random combination of capital letters, numbers, and lowercase letters, but does NOT incorporate any actual words or names," the company added.

Commenting on the massive breach impacting Animal Jam user records, Javvad Malik, security awareness advocate at KnowBe4, says that even though it is reassuring to see Animal Jam take a proactive stance in investigating the breach and being transparent in their approach, the incident raises the question as to how deeply embedded technology has become in all aspects of our lives, where even children's toys and games need accounts to be setup which potentially can hold sensitive information - and make an attractive target to attackers.

"It's why at a broad scale, manufacturing and technology need to work together to embed security not just in products, but create a culture of security that pushes good security practices to the forefront. While no one approach will be able to prevent all breaches, it's important that data isn't collected unless necessary, and the data that is collected, is done for legitimate purposes and secured properly," he adds.

Commenting on hackers targeting gaming companies like WildWorks and Activision, Boris Cipot, senior security engineer at Synopsys, says that the gaming industry is a common target for attacks, be it data theft or ransomware attacks. An interesting observation within the gaming industry is that player accounts are often high-value assets due to in-app purchases, or rewards from leveling up.

"Gaming accounts are often items for sale - at least accounts owned my adults spending money. However, we now have proof that even educational games for children are no longer safe, but valuable resources for bad actors," he observes, adding that victims of data breaches should quickly change their account passwords and should watch out for any emails asking for personal information.

Read More: Over 500,000 Activision user accounts hacked & login credentials made public

Copyright Lyonsdown Limited 2020