A hacker has stolen the account data of 218 million players of Zynga’s “Words with Friends”. Zynga warned its users about the breach a couple of weeks back and urged them to reset their passwords, but the incident has also compromised a smaller number of players of two other games.
Hacker Steals Over 218 Million Zynga 'Words with Friends' Gamers Data#MobileSecurity by @TheHackersNewshttps://t.co/RQIWVZthWQ
— Mobile Security (@mobilesecurity_) September 29, 2019
It is always troubling to see when the breach of one application or platform leads to losses for multiple systems and platforms, as its indicative of rather permissive access within an organization. The presence of the OMGPOP cleartext credentials also shows that the earlier procured company stored those unprotected, and that the company have then either migrated the data along or that they have used the old environment to build on top of.
It is also questionable on what basis the company have kept processing those individuals information for such an extended period of time.
“As if on cue, there is another data breach in a new industry. It’s as though fraudsters are showing how diverse their portfolio is, with almost every industry covered. In the past three months, consumers could have had their identity breached by applying for a credit card with the largest card company, ordering food on a popular delivery app, signing up for a movie membership card, participating in online dating or even playing a game on their phone. No industry is safe if it involves user data.
The gaming industry is booming and expected to reach $174 billion by 2021. The growth that the industry is experiencing makes it an attractive, and lucrative target for fraudsters – as demonstrated by Zynga, a major player in the gaming industry.
This breach is significant not just because of the sheer size of impacted consumers, 200 million, but because the demographic is very diverse. Zynga’s portfolio includes games that are popular with many different age groups, ranging from Words with Friends, where half of users are above the age of 45, to the game Draw Something, which has an age rating of 4+. Children are not actively tracking or monitoring their digital footprints and identity usage, which gives criminals a long runway to farm identities and destroy a child’s digital footprint well before they even graduate high school. On the heels of the Ecuador data breach impacting 6.7 million children, this marks the second major breach in two weeks with potentially wide-spread and long-term fraud repercussions for a young demographic.
This breach is a scary reminder that in today’s digital-first economy, identity is the true currency. The dark web is a very different place now than it was even three years ago. The sophistication and connectivity of the cybercrime ecosystem, combined with the high-profile data breaches like Zynga, makes it very easy to stitch together information to build complete profiles of user identity. This has fundamentally altered the digital commerce landscape: identity cannot be trusted and intent is easy for fraudsters to fake. It has never been easier to commit fraud and companies must implement a fraud and abuse prevention strategy that removes the economic incentive to attack.
Zynga’s data breach exposing the usernames, emails and passwords of more than 200 million users further demonstrates that user data is never safe. Whether playing innocent games on your phone or ordering food from DoorDash, cybercriminals are looking for every opportunity possible to acquire user data. This exposed information is sure to find a home on the dark web, enabling fraudsters to log into user accounts and commit account takeover fraud. Because these games are often connected to the user Facebook accounts, hackers can gain access to far more information under a forged identity. According to BuiltWith, there are over 190,000 websites that are Facebook Login Button customers and almost 40,000 live websites using Facebook Login Button. Logging in with this stolen information (including the 7 million Draw Something passwords left in clear text with this breach) makes it impossible to determine if the actual account holder is the one logging in. It’s apparent that these traditional authentication methods can no longer be trusted – companies must adopt biometric-based authentication to ensure a user’s data remains in the right hands.
While a breach is always unfortunate, it is encouraging to see that Zynga had sufficient monitoring in place to detect the breach and notify its customers.
What is not so encouraging is seeing a subset of several million users passwords which had been stored in cleartext. In today\’s day and age, no company should be storing cleartext passwords. With many users frequently reusing passwords, the breach of this nature can lead to other accounts of individuals being compromised, particularly as the breach also contained email addresses.
At the very least this information can fuel attacks in which people receive emails from scammers which include their password. These emails state that the recipient has been hacked and sensitive or embarrassing information will be released to the public unless they pay a fee.
In light of the reported inclusiveness of compromised data, it may well be a breach related to unprotected backup available in a cloud or elsewhere. The information reportedly stolen does not give an immense marge de maneuver to the attackers, however, all potential victims should remain vigilant when handling any incoming emails or messages. It would be premature to derive any categorical conclusion about the true origins and scope of the breach before the technical investigation is over. So far, Zynga’s response seems to be adequate to the obscure circumstances of the alleged incident.