This article was published on October 1, 2019

218M ‘Words with Friends’ players’ data reportedly stolen in Zynga hack (Updated)

218M ‘Words with Friends’ players’ data reportedly stolen in Zynga hack (Updated)
Ravie Lakshmanan
Story by

Ravie Lakshmanan

Popular social game developer Zynga has reportedly become the latest victim of a massive data breach impacting some 218 million Words with Friends accounts.

On September 12, the company disclosed that “certain player account information may have been illegally accessed by outside hackers,” but didn’t reveal any details about the scope of the breach and the number of players who may have had their information stolen.

But now, there appears to be more than meets the eye in this case. According to Hacker News, gnosticplayers — the threat actor behind the sale of two colossal data dumps comprising of 747 million stolen accounts spanning across 24 websites, including Dubsmash, MyFitnessPal, 500px, CoffeeMeetsBagel, Houzz, and Ixigo, on the dark web earlier this year — has claimed to have compromised Zynga.

Pilfered details include players’ names, email addresses, login IDs, hashed passwords, password reset tokens (if requested), phone numbers (if provided), Facebook IDs (if connected via the social network) and Zynga account IDs.

Per gnosticplayers, the data breach affected all Android and iOS game players who installed and signed up for the Words With Friends game on and before September 2 this year.

The hacker is also said to be in possession of hacked data associated with other Zynga-developed games, such as Draw Something and the now-defunct OMGPOP game.

It’s not clear if the breach itself was the result of a credential stuffing attack, wherein passwords from a breach are used on another site through large-scale automated login requests.

“Whether or not this resulted from credential stuffing, massive data breaches like Zynga’s inevitably lead to an increase in credential stuffing attacks on other websites, creating a huge spikes in bot traffic on their login screens as hackers cycle through the enormous list of credentials stolen from Zynga,” said Tiffany Olson Kleemann, VP of bot management at California-based cybersecurity vendor Imperva.

“Password dumps create a ripple effect of organizations spending precious time and resources on damage control. While it’s important that individual web users have strong, secure logins, the onus is on the businesses to detect and block malicious bot traffic before large-scale password hacks can occur,” she added.

Zynga is one of the most popular social gaming companies, with a market valuation of $5.48 billion and a number of hit online games such as FarmVille, Words With Friends, Zynga Poker, Mafia Wars, and Café World to its credit.

The company, for its part, said it took corrective steps to protect affected accounts from unauthorized logins and notify players of the incident. The forensic investigation is currently in progress.

When reached for a response, a Zynga spokesperson wouldn’t comment beyond the security update posted on its support page.

Reused passwords are still one of the top ways cybercriminals takeover online accounts. Even if just one of your passwords gets exposed, criminals can try that same password across thousands of other sites.

If you’ve a Zynga account, it’s highly recommended that you change your passwords to avoid bad actors from exploiting your information to stage credential stuffing attacks.

(The story was updated at 5:00 PM IST to include a response from Zynga.)

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with