The Guardian revealed that Zynga, a social game developer that created the likes of Farmville and Words With Friends, admitted to a hack in September, telling users that cyber-attacks were “one of the unfortunate realities of doing business today”. It did not reveal at the time how many accounts were affected, but now it has been revealed that the stolen database contained information on 172,869,660 unique accounts.
New breach: Zynga (creator of the Words with Friends game) suffered a data breach in September. Data included 173M unique email address, usernames and passwords stored as salted SHA-1 hashes. 69% were already in @haveibeenpwned. Read more: https://t.co/HgB09lvO3g
— Have I Been Pwned (@haveibeenpwned) December 19, 2019
Zynga’s response to its breach demonstrates how some organizations tend to view proper security as an afterthought. Companies falsely believe that they are faced with a lose-lose choice of innovating in the cloud and remaining competitive, or prioritizing security but moving at a slower and harming their overall market share as a result. However, this is a false choice – organizations can innovate while remaining secure if they implement the proper security controls as they adopt cloud. An automated cloud security strategy can help organizations detect misconfigurations and other threats, then either alert the appropriate personnel of the issue or trigger an automated remediation – all in real-time.
A company like Zynga has far reaching access into hundreds of millions of consumers and their devices, based on the games they develop and communities they create. Therefore, to initially respond that the hack is “one of the unfortunate realities of doing business today” comes across like an attempt to deflect responsibility, when Zynga does in fact have a responsibility to protect its users and their data.
With that said, while the passwords that were stolen were encrypted using SHA-1 — which is extremely easy to decrypt — they were fortunately also salted, making the passwords harder for hackers to use to compromise people further. The best practice would be for the consumer to still go and change their passwords. And, as history has told us, leaving the work in the hands of the consumer has always proven to be an ineffective method of cybersecurity; the number one attack vector and our weakest link in all of cybersecurity is people. If Zynga had implemented stringent security monitoring, detection, intelligence, and response capabilities, this breach might have been avoided altogether, and we wouldn’t need to rely on the users to prevent any further exposure
It comes as no surprise that yet another globally recognised technology organisation has been targeted and hacked in a successful cyber-attack. The private information that is collected when signing up to take part in social gaming makes it a prime target for cyber criminals looking to steal customers’ contact information or passwords. I am, in fact, one of the 172,869,660 account holders to be affected by this large scale data breach and many other victims will, like me, be feeling slightly concerned at the thought of personal information getting into the wrong hands.
This feeling reiterates the need for all online game organisations to ensure cyber security measures are a top priority in its company culture, to avoid this kind of attack happening in the future. They need to focus on adopting safe, modern and often updated IT servers which are immune to leaking information, even to the most advanced of criminal cyber specialists.