Decipher the Announcement of the Massive Zynga Data Breach

Oct 4, 2019 | Data Privacy

If you played Words with Friends your personal information was compromised

Gaming apps are meant to provide a relaxing, carefree escape for smartphone users, but a massive data breach at Zynga, developer of some of the most popular social games, has players reeling — and wondering how much of their personal data has been compromised.

Here’s what you need to know about this data breach, and what you can do to protect yourself.

Who was affected by the breach?

– Words With Friends users (affected)

– The previous gaming app Draw Something gamers (claimed by the hacker)

– Users of other gaming apps developed by Zynga (potentially affected)

According to an exclusive report by Hacker News on September 29, the breach encompassed “a massive database of more than 218 million users,” primarily Android and iOS players who installed Zynga’s “Words With Friends” game on or before September 2, 2019. However, the investigation into the breadth and impact of the breach has just begun, and it is possible that users of other gaming apps could be affected as well.

The same September 29th report by Hacker News identified the culprit as a Pakistani hacker known as Gnosticplayers, who has hit other popular online services in the past. The hacker also claimed to have hacked login data, including clear-text passwords, from 7 million users of other Zynga games, including Draw Something and the now discontinued OMGPOP game.

How will I know if I was affected by this Zynga breach?

– Users who have Words with Friends installed prior to Sep 2, 2019 (affected)

– Users of other Zynga games installed prior to Sep 2, 2019 (unknown)

Zynga has already confirmed that the data breach affected at least all persons who installed Words with Friends prior to September 2, 2019.  Often, in the wake of a data breach, a company will issue individual notifications to affected customers. While it is unknown at this time if Zynga has or will issue any such notifications, the company is issuing “announcements” about the breach.

For instance, on September 12 Zynga issued a “player security announcement” stating that “certain player account information may have been illegally accessed by outside hackers.” The company says that it has “initiated” an investigation, and that their “current understanding” is that the breach didn’t include users’ financial information. However, data breach investigations take time, and until the investigation is complete and Zynga can confirm precisely what information was compromised it is important that potentially impacted individuals remain vigilant.

What types of data was stolen and the consequences?

The investigation into what data was stolen has just begun, yet already Zynga has stated that the stolen data could include a wide range of personal records, including:

  • Names – identity theft, credit card theft
  • Email addresses – identity theft, scam, spam, account access (potential data breach if you use a company email for Zynga apps)
  • Login IDs and passwords -– identity theft, scam, spam, account access (reused passwords allow hackers to use the same password of yours to access many other sites.)
  • Zynga account ID – identity theft, scam, spam, account access
  • Phone numbers (if provided) – identity theft, scam, spam, account access
  • Facebook ID (if connected) – identity theft, scam, spam, account access
  • Password reset tokens/access tokens – identity theft, scam, spam, account access

What is an Access Token?

Access tokens operate online as an “automatic super password,” embedded with all of a user’s security information which allows a user to log in numerous times without typing out their username and password each time. This makes them particularly valuable, and particularly harmful when compromised.

Access tokens carry specific value to malicious third parties, because once a user’s access token is compromised, all tokens from the user’s shared or connected web applications could potentially become accessible.  In such cases, anyone with access to the token could potentially reset all other user data permissions and steal the tokens of all connected applications without alerting the original user.

What can someone do with your Facebook ID?

There are a number of scams that can be launched with a stolen Facebook ID, ranging from contacting you with phony offers or phishing schemes to hijacking the account — and, in effect, transforming a Facebook ID theft into full-fledged identity theft. Zynga has stated that it doesn’t believe actual Facebook passwords were involved in the breach because the company doesn’t collect that information, but many passwords are easy to crack.

In addition, many websites allow users to create an account and log in using their Facebook account. This auto sign-in via Facebook account will enable hackers to access many other sites using your information. Your Facebook ID and password may seem trivial to you, but contains a lot of personal information about you, which can be used to steal your identity.

What can a hacker do with your email?

One might ask what can’t be done with this information. Many hackers sell emails in bulk for quick cash. Others spend time treasure hunting the information within your email or information to be accessed with your email to make more money.

Below are a few examples of what a hacker can do with your email:

– Hijack your username and passwords to access your bank account

– Make purchases from the website(s) you previously shopped at – ex. Amazon

– Hijack your online purchase

– Send emails to your friends and family, asking for money

– Add them as authorized users to your credit cards

– Reset your passwords to other websites and accounts

– and more…

What can a hacker do with your phone number?

While it isn’t quite on the same level of risk as handing someone access to your bank account, a hacker can use your phone number to instigate phishing attacks on your contacts, engage in cell phone scams, and so on.

With social engineering, which doesn’t require necessary technical skills, a hacker may be able to do a lot of damage by impersonating you.

A stolen phone number can also be put up for sale on “dark web” sites, to be utilized in other fraud schemes at a later date.

What can you do to protect yourself?

– Change your Zynga password

– Change your associated email password

– If you reused the same password for other accounts, change all of those too

If you are one of the affected users, the first thing you should do is change your Zynga password. If you used the same password for other services, change it there, too.

Zynga posted some protection tips on their Player Support Page.

But don’t stop there. To head off someone opening accounts in your name, it’s a good idea to invest in credit monitoring or identity theft protection services.

Contact a Data Breach Lawyer at Franklin D. Azar & Associates

FDAzar is one of the largest plaintiff law firms in Colorado, known for championing the rights of individuals who have suffered damages at the hands of large corporations.  The firm is currently prosecuting data breach Class Action cases against Facebook, Marriott, Quora, and Capital One.

Zynga is a San Francisco-based company which created the popular gaming apps Farmville, Zynga Poker, Mafia Wars and Words with Friends. Zynga generated $671 million in online gaming revenues in 2018, and the company claims to have more than a billion players in more than 150 countries.

Over the past 30 years, our attorneys have secured more than $1.5 billion in compensation for our clients. Our class action department is staffed with experienced and knowledgeable attorneys who focus on litigating large, complex cases.

If you have suffered damages as a result of unfair business practices, data breaches, or corporate misconduct, the class action attorneys at FDAzar may be able to help. Speak with a member of our class-action team today or contact us here. The consultation is free.