Mobile gaming is an exciting field to work in and play in. With the processing of phones currently, there is not the lag present years ago. There are many companies that create these games. One of these is Zynga. Zynga is a social online game developer. The company became popular approximately a decade ago with the mobile game Farmville. They also own Words with Friends, Zynga Poker, Mafia Wars, and Café World.
The Zynga website was successfully attacked. This affects the gamers on the iPhone and Android platforms who installed and signed up for ‘Words with Friends’ game on or before September 2, 2019. This specifically affects the logins for game Words With Friends, and by some reports also Draw Something. The breach was reported on September 12, 2019. There were more than 170M user names and passwords exfiltrated with this attack.
This affects those users who had signed up for Draw Something or Words With Friends prior to September 2, 2019. This database held the credentials for 172,869,660 accounts. These were stored with salted SHA-1 hashes. The database held names, email addresses, login IDs, hashed passwords with SHA1 with salt, password reset token if one was ever requested, phone numbers if provided, Facebook ID (if connected), and Zynga account ID. There was no financial information accessed.
Not the first time
The hacker, from Pakistan, was contacted to comment on this. The hacker handle for the person is Gnosticplayers. This is not the first time Gnosticplayers have been able to breach the defenses and exfiltrate data. They also had the pleasure of exfiltrating much smaller databases previously with approximately 7M passwords, which were not secured. These databases were for the discontinued game OMGPop.
This was not the first or second time this has occurred with Zynga. This would indicate a distinct lack of care for the data entrusted to the company by the users and for cybersecurity in general. Zynga, every time a user registers and puts their data in the online form, entrusts Zynga to do the right thing with the data. This did not occur, clearly, since the same issue has been shown again and again.
On another point, the passwords were salted and hashed. Generally, when industry-standard hash protocols are used, this is a good security measure. The issue is, however, industry standards were not followed. Zynga has also not elected to note how this attack occurred. While this is not something a company would want to be known for, this could have assisted others to learn from their oversight.
Once detected, Zynga did contract with a third-party forensics firm to assist with the investigation, as well as law enforcement. Naturally, they also contacted the affected users to change their passwords.
Dunham, J. (2019, December 19). 173 million accounts exposed in hack of ‘Words with Friends’ developer. Retrieved from https://www.ctvnews.ca/sci-tech/13-million-accounts-exposed-in-hack-of-words-with-friends-developer-1.4736646
Gonzalez, O. (2019, October 1). Zynga data breach exposed 200 million Words with Friends players. Retrieved from https://www.cnet.com/news/words-2ith-friends-hack-reportedly-exposes-data-of-more-than-200m-players/
Hern, A. (2019, December 19). 170M passwords stolen n zynga hack, monitor says. Retrieved from https://www.theguardian.com/games/2019/dec/19/170m-passwords-stoeln-in-zynga-words-2ith-friends-hack-monitor-says
Ivanova, I. (2019, October 2). Zynga data breach exposed 200 million Words with Friends players. Retrieved from https://www.cbsnews.com/news/words-with-friends-hack-zynga-data-breach-exposes-200-million-users/
Khandelwal, S. (2019, September 29). Exclusive-Hacker steals over 218 million zynga ‘Words with Friends’ gamers data. Retrieved from https://thehackernews.com/2019/09/zynga-game-hacking.html
Knight, S. (2019, October 1). Zynga hacked, more than 200 million accounts compromised. Retrieved from https://www.techspot.com/news/82150-zynga-hacked-more-than-200-million-accounts-compromised.html
Lakshmanan, R. (2019, October 1). 219M ‘Words with Friends’ players’ data reportedly stolen zynga hack (updated). Retrieved from https://thenextweb.com/security/2019/10/02/218m-words-with-friends-players-data-reportedly-stolen-in-zynga-hack/
Lyons, K. (2019, December 19). Zynga hack affected 170 million accounts. Retrieved from https://www.theverge.com/2019/12/19/21029682/zynga-hack-words-with-friends-draw-something-password-data-breach
Page, C. (2019, September 30). Zynga hack exposes data of 218 million Words with Friends players. Retrieved from https://www.theinquirer.net/inquirer/news/3082078/zynga-ack-words-with-frie
Zynga. (2019, September 12). Player security announcement.
Zynga. (2019). Protecting your account. Retrieved from https://www.zynga.com/security/protecting-your-account
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!