Popular Game Company Zynga Breached

In cybersecurity breach de jour news it seems that a popular mobile social game company, Zynga Inc., was recently breached and gave up information on more than 218 million users.  While the breach itself was quietly announced by Zynga on September 12, 2019, they offered precious few details.  The story was then picked up by The Hacker News website on September 29, 2019, with added details.  They reported, “A Pakistani hacker who previously made headlines earlier this year for selling almost a billion user records stolen from nearly 45 popular online services has now claimed to have hacked the popular mobile social game company Zynga Inc.  Going by the online alias Gnosticplayers, the serial hacker told The Hacker News that this time, he managed to breach “Words With Friends,” a popular Zynga-developed word puzzle game, and unauthorisedly access a massive database of more than 218 million users.”

Zynga was founded in 2007 with the stated vision that play would become one of the core activities on the Internet.  They pioneered social games with the belief that if they could make games simple, accessible, and social the world would start playing.  They maintain that games have grown to become the second most popular activity by time spent, even surpassing email.

A security update and some relevant FAQs can be found on their website announcements page.  They state, “Cyber attacks are one of the unfortunate realities of doing business today.  We recently discovered that certain player account information may have been illegally accessed by outside hackers.  An investigation was immediately commenced, leading third-party forensics firms were retained to assist, and we have contacted law enforcement.

Our current understanding is that no financial information was accessed. However, we understand that account information for certain players of certain Zynga games may have been accessed.  As a precaution, we have taken steps to protect certain players’ accounts from invalid logins, including but not limited to where we believe that passwords may have been accessed. Zynga has begun the process of sending individual notices to players where we believe that notice is required.  

The security of our player data is extremely important to us.  We have worked hard to address this matter and remain committed to supporting our community.”

Kevin Gosschalk, CEO of Arkose Labs, commented, “As if on cue, there is another data breach in a new industry. It’s as though fraudsters are showing how diverse their portfolio is, with almost every industry covered. In the past three months, consumers could have had their identity breached by applying for a credit card with the largest card company, ordering food on a popular delivery app, signing up for a movie membership card, participating in online dating or even playing a game on their phone. No industry is safe if it involves user data.

The gaming industry is booming and expected to reach $174 billion by 2021. The growth that the industry is experiencing makes it an attractive, and lucrative target for fraudsters – as demonstrated by Zynga, a major player in the gaming industry.

This breach is significant not just because of the sheer size of impacted consumers, 200 million, but because the demographic is very diverse. Zynga’s portfolio includes games that are popular with many different age groups, ranging from Words with Friends, where half of users are above the age of 45, to the game Draw Something, which has an age rating of 4+. Children are not actively tracking or monitoring their digital footprints and identity usage, which gives criminals a long runway to farm identities and destroy a child’s digital footprint well before they even graduate high school. On the heels of the Ecuador data breach impacting 6.7 million children, this marks the second major breach in two weeks with potentially wide-spread and long-term fraud repercussions for a young demographic.

This breach is a scary reminder that in today’s digital-first economy, identity is the true currency. The dark web is a very different place now than it was even three years ago. The sophistication and connectivity of the cybercrime ecosystem, combined with the high-profile data breaches like Zynga, makes it very easy to stitch together information to build complete profiles of user identity. This has fundamentally altered the digital commerce landscape: identity cannot be trusted and intent is easy for fraudsters to fake. It has never been easier to commit fraud and companies must implement a fraud and abuse prevention strategy that removes the economic incentive to attack.”

Security expert, Javvad Malik, Security Awareness Advocate for KnowBe4 said of this incident, “While a breach is always unfortunate, it is encouraging to see that Zynga had sufficient monitoring in place to detect the breach and notify its customers.

What is not so encouraging is seeing a subset of several million users passwords which had been stored in cleartext.  In today’s day and age, no company should be storing cleartext passwords.  With many users frequently reusing passwords, the breach of this nature can lead to other accounts of individuals being compromised, particularly as the breach also contained email addresses.

At the very least this information can fuel attacks in which people receive emails from scammers which include their password.  These emails state that the recipient has been hacked and sensitive or embarrassing information will be released to the public unless they pay a fee.”