Ba-Zynga: Being hacked is no game

Mobile gaming is an exciting field to work in and play in. With the processing of phones currently, there is not the lag present years ago. There are many companies that create these games. One of these is Zynga. Zynga is a social online game developer. The company became popular approximately a decade ago with the mobile game Farmville. They also own Words with Friends, Zynga Poker, Mafia Wars, and Café World.

Data Exfiltrated

The Zynga website was successfully attacked. This affects the gamers on the iPhone and Android platforms who installed and signed up for ‘Words with Friends’ game on or before September 2, 2019. This specifically affects the logins for game Words With Friends, and by some reports also Draw Something. The breach was reported on September 12, 2019. There were more than 170M user names and passwords exfiltrated with this attack.

This affects those users who had signed up for Draw Something or Words With Friends prior to September 2, 2019. This database held the credentials for 172,869,660 accounts. These were stored with salted SHA-1 hashes. The database held names, email addresses, login IDs, hashed passwords with SHA1 with salt, password reset token if one was ever requested, phone numbers if provided, Facebook ID (if connected), and Zynga account ID. There was no financial information accessed.

Not the first time

The hacker, from Pakistan, was contacted to comment on this. The hacker handle for the person is Gnosticplayers. This is not the first time Gnosticplayers have been able to breach the defenses and exfiltrate data. They also had the pleasure of exfiltrating much smaller databases previously with approximately 7M passwords, which were not secured. These databases were for the discontinued game OMGPop.

Concerns

This was not the first or second time this has occurred with Zynga. This would indicate a distinct lack of care for the data entrusted to the company by the users and for cybersecurity in general. Zynga, every time a user registers and puts their data in the online form, entrusts Zynga to do the right thing with the data. This did not occur, clearly, since the same issue has been shown again and again.

On another point, the passwords were salted and hashed. Generally, when industry-standard hash protocols are used, this is a good security measure. The issue is, however, industry standards were not followed.

Zynga has also not elected to note how this attack occurred. While this is not something a company would want to be known for, this could have assisted others to learn from their oversight.

Mitigation

Once detected, Zynga did contract with a third-party forensics firm to assist with the investigation, as well as law enforcement. Naturally, they also contacted the affected users to change their passwords.

Resources

Dunham, J. (2019, December 19). 173 million accounts exposed in hack of ‘Words with Friends’ developer. Retrieved from https://www.ctvnews.ca/sci-tech/13-million-accounts-exposed-in-hack-of-words-with-friends-developer-1.4736646

Gonzalez, O. (2019, October 1). Zynga data breach exposed 200 million Words with Friends players. Retrieved from https://www.cnet.com/news/words-2ith-friends-hack-reportedly-exposes-data-of-more-than-200m-players/

Hern, A. (2019, December 19). 170M passwords stolen n zynga hack, monitor says. Retrieved from https://www.theguardian.com/games/2019/dec/19/170m-passwords-stoeln-in-zynga-words-2ith-friends-hack-monitor-says

Ivanova, I. (2019, October 2). Zynga data breach exposed 200 million Words with Friends players. Retrieved from https://www.cbsnews.com/news/words-with-friends-hack-zynga-data-breach-exposes-200-million-users/

Khandelwal, S. (2019, September 29). Exclusive-Hacker steals over 218 million zynga ‘Words with Friends’ gamers data. Retrieved from https://thehackernews.com/2019/09/zynga-game-hacking.html

Knight, S. (2019, October 1). Zynga hacked, more than 200 million accounts compromised. Retrieved from https://www.techspot.com/news/82150-zynga-hacked-more-than-200-million-accounts-compromised.html

Lakshmanan, R. (2019, October 1). 219M ‘Words with Friends’ players’ data reportedly stolen zynga hack (updated). Retrieved from https://thenextweb.com/security/2019/10/02/218m-words-with-friends-players-data-reportedly-stolen-in-zynga-hack/

Lyons, K. (2019, December 19). Zynga hack affected 170 million accounts. Retrieved from https://www.theverge.com/2019/12/19/21029682/zynga-hack-words-with-friends-draw-something-password-data-breach

Page, C. (2019, September 30). Zynga hack exposes data of 218 million Words with Friends players. Retrieved from https://www.theinquirer.net/inquirer/news/3082078/zynga-ack-words-with-frie

Zynga. (2019, September 12). Player security announcement.

Zynga. (2019). Protecting your account. Retrieved from https://www.zynga.com/security/protecting-your-account