A Pakistani hacker has claimed to have breached a database belonging to mobile gaming major Zynga that contained personal and profile information of more than 218 million people who had installed the popular Words With Friends game on their phones.
According to The Hacker News who spoke to the Pakistani hacker, the database owned by Zynga, who also developed the massively-popular mobile game Farmville, contained profile information of over 218 million people who downloaded the Words With Friends app on or before September 2 this year.
The hacker goes by the alias Gnosticplayers and was previously responsible for among the largest data breaches ever when he stole as many as 620 million online accounts from databases that contained user data collected by a number of applications.
In February this year, Gnosticplayers put up all 620 million online accounts for sale on the Dream Market cyber-souk, a Dark Web marketplace which can be accessed using Tor. The stolen online accounts contained names, email addresses, and passwords of millions of people from across the globe.
While 162 million accounts were stolen from Dubsmash, 151 million were stolen from MyFitnessPal, 92 million from MyHeritage, 41 million from ShareThis, 28 million from HauteLook, 25 million from Animoto, 18 million from Whitepages, 16 million from Fotolog, 11 million from Armor Games, and 8 million such accounts were stolen from BookMate.
Millions of online accounts account details of gamers were also stolen from other platforms such as Artsy, CoffeeMeetsBagel, DataCamp, 500px, and EyeEm. The passwords for all online accounts were hashed using the age-old MD5 algorithm and could be decrypted using standard software by rookie hackers.
Hacker accessed phone numbers, email IDs & Facebook IDs of Words With Friends users
While the loss of personal information of over 218 million customers is a cause for great alarm, Zynga announced on September 12 that "identified account login information for certain players of Draw Something and Words With Friends" were probably accessed by outside hackers.
While the company did not mention how many accounts were compromised as a result of the breach, it also did not mention what kind of information was accessed by the hacker, even though it did inform customers that no financial information was accessed.
"While the investigation is ongoing, we do not believe any financial information was accessed. However, we have identified account login information for certain players of Draw Something and Words With Friends that may have been accessed. As a precaution, we have taken steps to protect these users’ accounts from invalid logins. We plan to further notify players as the investigation proceeds," it said.
Gnosticplayers told The Hacker News that the database contained names, email addresses, login IDs, passwords hashed using SHA1 with salt, password reset tokens, phone numbers, Facebook IDs, and Zynga account IDs of millions of users of Words With Friends, wherever such details were provided by users to the app.
Zynga stored passwords of 7m users in clear text, says the hacker
The hacker also claimed to have accessed 7 million more user accounts of other Zynga-owned games such as Draw Something and the discontinued OMGPOP game and these online accounts contained clear text passwords for all 7 million users.
"It is always troubling to see when the breach of one application or platform leads to losses for multiple systems and platforms, as its indicative of rather permissive access within an organisation. The presence of the OMGPOP cleartext credentials also shows that the earlier procured company stored those unprotected, and that the company have then either migrated the data along or that they have used the old environment to build on top of," says Martin Jartelius, CSO at Outpost24.
"In today's day and age, no company should be storing cleartext passwords. With many users frequently reusing passwords, the breach of this nature can lead to other accounts of individuals being compromised, particularly as the breach also contained email addresses.
"At the very least this information can fuel attacks in which people receive emails from scammers which include their password. These emails state that the recipient has been hacked and sensitive or embarrassing information will be released to the public unless they pay a fee," says Javvad Malik, security awareness advocate at KnowBe4.