218 Million Records Have Allegedly Been Stolen from Zynga

Zynga Data Breach

On September 12, mobile and social media game developer Zynga announced that it had suffered a data breach. Zynga, as some of you probably know, is the creator of hit games like FarmVille, Mafia Wars, and Zynga Poker. Millions of people have wasted countless hours playing these games, which means that the lack of details in Zynga's announcement is rather worrying.

The short press release said that someone had stolen "account login information for certain players of Draw Something and Words With Friends". The number of affected users was not disclosed, and the exact nature of the leaked data remained unknown. An FAQ page told users that Zynga has taken steps to protect Words With Friends players from "invalid logins" and that people who have played Draw Something may be asked to change their passwords. We learned that the hackers had failed to access any financial information, but overall, the details were thin on the ground. Yesterday, a hacker going by the nickname Gnosticplayers got in touch with The Hacker News and apparently gave more information on what happened exactly.

Gnosticplayers is back

Gnosticplayers first made the news in February when he tried to sell a whopping 620 million records stolen during 16 data breaches. Back then, he told the media that he was solely responsible for all the attacks (some of which had been undisclosed at the time) and claimed that he had a lot more information that he was ready to sell. Over the next few months, he proved that he wasn't joking, and in total, he put up more than 1 billion records for sale on the dark web. Now, he claims that he has hacked Zynga as well.

More than 200 million records with login and personal information exposed

Apparently, Gnosticplayers hacked into a database that contained the information of Android and iOS users who played Words With Friends on or before September 2, 2019. The hacker stole more than 218 million records from that database alone, and the exposed information includes names, email addresses, login and Zynga account IDs, as well as passwords that have been salted and hashed with SHA1. The phone numbers and Facebook IDs associated with the affected accounts were also leaked and so were the password reset tokens of the users who have tried to change their passwords. Unfortunately, this wasn't the only data Gnosticplayers managed to breach.

He apparently stole a database that contained information of people playing other Zynga games, including Draw Something. In there, Gnosticplayers found more than 7 million plaintext passwords according to The Hacker News.

Can Gnosticplayers be trusted?

None of the information above has been officially confirmed by Zynga, which means that taking it with a grain of salt might not be such a bad idea. Nevertheless, as we mentioned already, Gnosticplayers has a track record of making bold claims and then delivering on them. What's more, there are one or two things which make his version of events plausible.

Zynga did say that it's forcing some Draw Something players to reset their passwords which makes perfect sense if the stolen login data was indeed stored in plaintext as Gnosticplayers says. At the same time, for Words With Friends, the game developer simply said that it had taken steps to prevent "invalid logins" which may or may not entail invalidating the leaked password reset tokens.

Either way, at the time of writing, Zynga hasn't officially commented on Gnosticplayers' claims which means that there's no way to be sure what has happened exactly. This, in turn, means that you could do worse than change your passwords at the Zynga games you've played as well as at any other online services where you might have reused them.

September 30, 2019

Leave a Reply