Cyber-cracker with the pseudonym Gnosticplayers reported about hacking several applications of the largest American online game developer Zynga Inc. The hacker announced the theft of data from 218 million users.[dropcap]T[/dropcap]he leak affected all Android and iOS users who installed the Words With Friends puzzle game and registered in it before September 3 this year.
The cracker shared several accounts with The Hacker News. Judging by these samples, he got usernames, email addresses, hashed passwords with salt, password reset tokens (if they were reset), phone numbers and Facebook IDs (if they were specified during registration), as well as Zynga account identifiers.
“We also managed to steal user data from Draw Something and the OMGPOP game, which is no longer supported by the manufacturer. According to him, among the information to which he gained access were 7 million user passwords in unencrypted form”, – Gnosticplayers added.
On September 12, Zynga representatives issued an official data leak statement from Words With Friends and Draw Something, but did not disclose the number of affected users. They reported that they had already begun the investigation and brought in third-party experts and law enforcement agencies. The developers also took steps to protect user accounts, but called on the players themselves to be vigilant.[box]Reference:
Zynga Inc is one of the most successful online game developers with a current market capitalization of more than $ 5 billion. The company owns games like FarmVille, Words With Friends, Zynga Poker, Mafia Wars, and Café World, with a billion users worldwide.[/box]
Cybersecurity experts do not believe that this hacking of games will bring unprecedented damage to victims, but ambiguously evaluate Zynga’s approach to data protection.
[box]In March of this year, Gnosticplayers put up for sale the stolen data of 26 million users and explained this with the desire to teach the companies a damn about the disregard for data protection. “Such a low level of security in 2019 just infuriates me,” admitted the attacker.[/box]
“Nowadays, no company should store passwords in the public domain,” – said Javad Malik of KnowBed. He noted the developer’s responsiveness to the incident.