Zynga 2019 Hack Update: 26M Plaintext Passwords Exposed
As Zynga’s player security announcement states, “cyber attacks are one of the unfortunate realities of doing business today”, nevertheless, the extent to which certain data leaks harm internet users strongly depends on a company’s choice of security protocols of handling user’s sensitive information.
The Zynga breach happened in September 2019 following the official statement of the company on September 12. Following that, Hacker News released an article which confirmed that the breach was executed by the famous hacker Gnosticplayers, who holds the record of a hacker with the biggest number of breached information, claims to possess hacked data of other Zynga-developed games as well, namely Draw Something and OMGPOP jointly affecting 7 million users.
The breach initially exposed encrypted user email addresses, names, usernames, phone numbers, Facebook ID’s (if connected) and passwords. The Words with Friends team used SHA-1 (Secure Hash Algorithm 1) encryption algorithm to store user information, unfortunately it didn’t take long for the clear text file to appear on the dark web hacking forums. The SHA-1 encryption algorithm has a bad reputation among cyber security experts as it has been theoretically broken in 2005 and in later successfully attacked in the real world cases.
Zynga interactive entertainment company is famous for its FarmVille game, played by more than 800 million active users. It's franchise includes the popular Mafia Wars, CityVille, Draw Something, Zynga Poker and CSR Racing amounting to 1 billion users overall. San Francisco-based social game developer grows in staggering rates over the years, reporting 48.04% increase in year-over-year third quarter revenue in 2019, of $345.3 million.
“The security of our player data is extremely important to us. We are working hard to address this matter and remain committed to supporting our community...” - Zynga.com Player Security Announcement
On December 15th 2019, a new Zynga data dump including more than 26 million email-password combinations in plain text started circling around the popular hacker forums. The new dataset was immediately related to the September breach
And to be very clear, finding hacked databases doesn’t require neither extraordinary skills, nor knowledge, just simple genuine curiosity. The database is available to the average Joe who has a few spare hours to download and look through the Words with Friends user list.
This striking fact makes us wonder:
To what extent is the social gamer’s data safety a priority for such franchise giants, if 218 million accounts could be hacked and 26 million accounts could be decrypted in a 2-month period?
Before we get to the content of the database, let’s dive into the Zynga user demographics a bit.
In the research covering 5,000 social game players in the US and UK, PopCap Games and Information Solutions Group found that the average social gamer is a 43-year old woman. The survey was conducted with individuals who play games on social networking sites and platforms at least once a week.
The decrypted part of Zynga database contains exactly 26,083,520 clear text email-password combinations.
According to Breach Report’s analysts the unique email-password combinations, those not found in the known breach databases, make 84.38% of the Zynga file, specifically 22,010,529 lines of user data. The rest of 4,072,991 lines (15.62%) are repeated email-password combinations. While these are to some extent good news, since the most Words with Friends breached accounts don’t use same email-password combinations, 4 million of them seem to have been repetitively using the same password for multiple accounts on different platforms.
Even more concerning is the fact that the usage of simple passwords doesn’t have a declining trend. The most common password used is the all-time winner - ‘password’, which has been ‘protecting’ 242,557 Words with Friends users (0.93 percent of the database). It is followed by hotmail123, 123456789 1234567, and 123456.
Here you can see the list of the most repeated passwords of the dehashed data breach:
What to do if you have been playing Words with Friends?
If you are one of the hundreds of millions of Words with Friends players, make sure you check if your password has been exposed in plain text in the December 15th database.
IF YOU HAVE BEEN HACKED:
IMMEDIATELY change the password of the compromised email address.
Change the password of the compromised account at Words with Friends.
If you used the same password on other sites, make sure to update those passwords as well.
Find the rest of our security tips here: https://breachreport.com/security-guide
IF YOU HAVEN’T BEEN HACKED:
Even if you haven’t been found hacked, it would be a good practice to change your login password, and ideally to update the password for your email address used to register/sign-up to the game.