The immensely popular children’s online playground Animal Jam has suffered a data breach impacting 46 million accounts. This is confirmed when a hacker shared two databases belonging to Animal Jam for free on hacker forum stating it was obtained by ShinyHunters. These databases contain:
- 46 million player usernames, which are human moderated to make sure they do not contain a child’s proper name.
- 46 million SHA1 hashed passwords.
- Approximately 7 million email addresses of parents whose children registered for Animal Jam
The main risk we are facing here is that for anyone re-using credentials they may fall victim to credentials spraying where their logins in this system is used against other platforms. So if you know you are re-using credentials, be it that you have an account on this service or not, please prioritize getting unique credentials setup per service.
A breach and exposure of as wide a datasheet as is being reported by Animal Jam is another example of the new norm where breaches have become mundane and the routine. Everyone involved should be concerned when a company announces that nearly one third of their users might have had their records stolen. With more than 130 million registered users this is hardly the time to downplay the significant losses that could occur. I do give credit to Animal Jam\’s team for disclosing details of how the breach occurred and for reassuring their customers how important data protection and privacy is.
For customers of Animal Jam it is imperative that they all update their passwords immediately. Never, ever use a password such as \’password\’ or \’1234567\’ because you are asking for trouble. You would be surprised how easy some people make it for hackers to be successful. Animal Jam\’s customers should also consider using a password manager because they are easy to use and safe. There are many reputable products on the market today and many are offering Free trial offers during the holiday shopping season.
The gaming industry is a common target for attacks, be it data theft or ransomware attacks. An interesting observation within the gaming industry is that player accounts are often high-value assets due to in-app purchases, or rewards from leveling up. In other words, gaming accounts are often items for sale – at least accounts owned my adults spending money. However, we now have proof that even educational games for children are no longer safe, but valuable resources for bad actors.
In this breach, the attacker was able to access and steal account information from 46 million users. One way the cybercriminals may abuse this data is to carry out a phishing attack. Therefore, users, or their parents, need to watch out for any emails asking for personal information. It is important that the account password is changed immediately as well to avoid an account takeover. Passwords should also be changed across any other service where it might have been reused. The attackers might cross-reference your account information on other services in order to find other exploitable services.
Fortunately, it does seem that the company is doing all they can to support their users. They issued a warning and a FAQ (https://www.animaljam.com/en/2020databreach) to help users with any issues connected to the data breach.
ShinyHunters did it again. Fresh off of their leak of a massive Mashable database.
It’s important for all to understand that it’s never appropriate to target kids’ data, and the services that make this available need to be stopped. A lot of companies use communications apps such Slack without 2FA, which seems to be the case with Animal Jam. This could possibly have been avoided with MFA – instead, companies assume they’re not targets, or mistakenly believe that using a password that’s too short is sufficient. This just underscores that any shared service – GitHub, Citrix, whatever – needs to be protected with multi-factor authentication apps or preferably a token, and just how important password managers are.
All employees should have password managers and be required to use multifactor authentication. The reality is these people have lots and lots of stolen data, and it’s highly categorized and organized for cross referencing, making targeted attacks easier than ever before. The end result might be that some kids go for a social security number at age 4, 10 or even later, or go for their first school loans when applying for college, only to learn they’ve maxed out their credit.
The data breach at Animal Jam is concerning mostly because many of the accounts belong to children. Fortunately, there does not appear to be any financial information exposure and little of the released data appears to be directly useful. However, the attackers could use the exposed email addresses to launch social engineering against the young users.
WildWorks has set a fine example by responding quickly and transparently. Parents should monitor their kid\’s email for related attacks, and take the opportunity to teach them about managing their passwords and how to identify malicious emails.