Animal Jam Kids’ Virtual World Hit By Data Breach, Impacting 46m Accounts: Expert Commentary

The immensely popular children’s online playground Animal Jam has suffered a data breach impacting 46 million accounts. This is confirmed when a hacker shared two databases belonging to Animal Jam for free on hacker forum stating it was obtained by ShinyHunters. These databases contain:

  • 46 million player usernames, which are human moderated to make sure they do not contain a child’s proper name.
  • 46 million SHA1 hashed passwords.
  • Approximately 7 million email addresses of parents whose children registered for Animal Jam

Experts Comments

November 13, 2020
Chloé Messdaghi
VP of Strategy
Point3 Security
ShinyHunters did it again. Fresh off of their leak of a massive Mashable database. It’s important for all to understand that it’s never appropriate to target kids’ data, and the services that make this available need to be stopped. A lot of companies use communications apps such Slack without 2FA, which seems to be the case with Animal Jam. This could possibly have been avoided with MFA – instead, companies assume they’re not targets, or mistakenly believe that using a password.....Read More
ShinyHunters did it again. Fresh off of their leak of a massive Mashable database. It’s important for all to understand that it’s never appropriate to target kids’ data, and the services that make this available need to be stopped. A lot of companies use communications apps such Slack without 2FA, which seems to be the case with Animal Jam. This could possibly have been avoided with MFA – instead, companies assume they’re not targets, or mistakenly believe that using a password that’s too short is sufficient. This just underscores that any shared service - GitHub, Citrix, whatever – needs to be protected with multi-factor authentication apps or preferably a token, and just how important password managers are. All employees should have password managers and be required to use multifactor authentication. The reality is these people have lots and lots of stolen data, and it’s highly categorized and organized for cross referencing, making targeted attacks easier than ever before. The end result might be that some kids go for a social security number at age 4, 10 or even later, or go for their first school loans when applying for college, only to learn they’ve maxed out their credit.  Read Less
November 13, 2020
Martin Jartelius
CSO
Outpost24
The main risk we are facing here is that for anyone re-using credentials they may fall victim to credentials spraying where their logins in this system is used against other platforms. So if you know you are re-using credentials, be it that you have an account on this service or not, please prioritize getting unique credentials setup per service.
November 13, 2020
Sam Curry
Chief Security Officer
Cybereason
A breach and exposure of as wide a datasheet as is being reported by Animal Jam is another example of the new norm where breaches have become mundane and the routine. Everyone involved should be concerned when a company announces that nearly one third of their users might have had their records stolen. With more than 130 million registered users this is hardly the time to downplay the significant losses that could occur. I do give credit to Animal Jam's team for disclosing details of how the.....Read More
A breach and exposure of as wide a datasheet as is being reported by Animal Jam is another example of the new norm where breaches have become mundane and the routine. Everyone involved should be concerned when a company announces that nearly one third of their users might have had their records stolen. With more than 130 million registered users this is hardly the time to downplay the significant losses that could occur. I do give credit to Animal Jam's team for disclosing details of how the breach occurred and for reassuring their customers how important data protection and privacy is. For customers of Animal Jam it is imperative that they all update their passwords immediately. Never, ever use a password such as 'password' or '1234567' because you are asking for trouble. You would be surprised how easy some people make it for hackers to be successful. Animal Jam's customers should also consider using a password manager because they are easy to use and safe. There are many reputable products on the market today and many are offering Free trial offers during the holiday shopping season.  Read Less
November 13, 2020
Boris Cipot
Senior Sales Engineer
Synopsys
The gaming industry is a common target for attacks, be it data theft or ransomware attacks. An interesting observation within the gaming industry is that player accounts are often high-value assets due to in-app purchases, or rewards from leveling up. In other words, gaming accounts are often items for sale - at least accounts owned my adults spending money. However, we now have proof that even educational games for children are no longer safe, but valuable resources for bad actors. In this.....Read More
The gaming industry is a common target for attacks, be it data theft or ransomware attacks. An interesting observation within the gaming industry is that player accounts are often high-value assets due to in-app purchases, or rewards from leveling up. In other words, gaming accounts are often items for sale - at least accounts owned my adults spending money. However, we now have proof that even educational games for children are no longer safe, but valuable resources for bad actors. In this breach, the attacker was able to access and steal account information from 46 million users. One way the cybercriminals may abuse this data is to carry out a phishing attack. Therefore, users, or their parents, need to watch out for any emails asking for personal information. It is important that the account password is changed immediately as well to avoid an account takeover. Passwords should also be changed across any other service where it might have been reused. The attackers might cross-reference your account information on other services in order to find other exploitable services. Fortunately, it does seem that the company is doing all they can to support their users. They issued a warning and a FAQ (https://www.animaljam.com/en/2020databreach) to help users with any issues connected to the data breach.  Read Less
November 13, 2020
Saryu Nayyar
CEO
Gurucul
The data breach at Animal Jam is concerning mostly because many of the accounts belong to children. Fortunately, there does not appear to be any financial information exposure and little of the released data appears to be directly useful. However, the attackers could use the exposed email addresses to launch social engineering against the young users. WildWorks has set a fine example by responding quickly and transparently. Parents should monitor their kid's email for related attacks, and.....Read More
The data breach at Animal Jam is concerning mostly because many of the accounts belong to children. Fortunately, there does not appear to be any financial information exposure and little of the released data appears to be directly useful. However, the attackers could use the exposed email addresses to launch social engineering against the young users. WildWorks has set a fine example by responding quickly and transparently. Parents should monitor their kid's email for related attacks, and take the opportunity to teach them about managing their passwords and how to identify malicious emails.  Read Less
November 13, 2020
Anurag Kahol
CTO
Bitglass
The personally identifiable information (PII) and financial information connected to users’ gaming accounts are valuable data that attackers can use to commit financial fraud, identity theft, and trade on dark web marketplaces. Incidents like this emphasise the criticality of ensuring that proper cloud security controls are implemented to defend users’ data. To mitigate the risks of future data breaches and protect sensitive data, all organisations must have full visibility throughout.....Read More
The personally identifiable information (PII) and financial information connected to users’ gaming accounts are valuable data that attackers can use to commit financial fraud, identity theft, and trade on dark web marketplaces. Incidents like this emphasise the criticality of ensuring that proper cloud security controls are implemented to defend users’ data. To mitigate the risks of future data breaches and protect sensitive data, all organisations must have full visibility throughout their IT ecosystem or anywhere their sensitive data is stored in order to monitor and prevent any suspicious activity. By leveraging flexible, cost-effective solutions that enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent data leakage, organisations can ensure the privacy and security of customer information.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.