Zynga, one of the largest social game developers, was the victim of a hack and a resulting data breach along with over 218 million of their users. Zynga is the developer of popular smartphone gaming apps, including Words with Friends, Farmville, and many more.

If you have installed and played one or more of these games on your smartphone, then your information may have been compromised. It is best to take steps to protect yourself if you think there is a possibility your information was susceptible to the breach. And of course, it is always a good idea to speak with an attorney with experience in data breach cases. You can speak with any of our experienced attorneys for free at 1-855-622-7613 or by emailing us at databreach@fdazar.com

How Do I Know if I was Affected by the Data Breach?

Zynga is currently stating that the breach is known to have affected anyone who installed and played the game “Words With Friends” on Android or iOS prior to September 2, 2019.  The breach is also thought to have impacted at least 7 million more users of the games “Draw Something” and “OMGPOP.” It is unclear at this time how many other users may have been compromised.  It is possible that millions of users of other gaming apps could have been impacted as well, since Zynga is the owner of some of the most popular smartphone games including Zynga Poker, Farmville, and Mafia Wars.

Although no official date has been released, the data breach is thought to have taken place in early September 2019. However, Zynga didn’t release any notification of the breach until September 12th 2019, and the breach was not widely known until Hacker News issued an exclusive report on the matter on September 29, 2019. Often, in the wake of a data breach, a company will issue individual notifications to affected customers, however it is unknown at this time if Zynga plans on issuing notifications to individuals impacted by the breach.

When did Zynga First Become Aware of the Breach?

This is a very good question and one that we will be investigating in the coming weeks/months.  As stated, it is unknown when exactly they first realized there was an issue, however, they knew by September 12, 2019 at the latest, according to an under-the-radar statement released on that date, which you can read here. A few weeks later, Zynga released this updated announcement.

It is important that when there is a data breach that the company impacted act quickly and appropriately to minimize the damage, and we will be investigating to determine if Zynga did so in this case.

What Information was Compromised During the Breach?

According to Zynga, the information that was exposed in the hack includes, but is not limited to, the following:

  • Names
  • Email addresses
  • Login IDs
  • Hashed passwords, SHA1 with salt
  • Password reset tokens/access tokens
  • Phone numbers (if provided)
  • Facebook ID (if connected)
  • Zynga account ID

Zynga has stated that their “current understanding” is that no financial information was compromised in the breach.  However, they also concede that they just recently launched an investigation into the matter.  Based on our experience, the nature of data breaches are so complex and broad that companies cannot expect to have a full picture of what data was actually compromised until weeks, or even month after the breach. It is always a good idea to keep a close eye on your financial accounts and potentially replace and cards or account info that you feel may have been compromised.

What is an Access Token?

Access tokens operate online as an “automatic super password,” embedded with all of a user’s security information which allows a user to log in numerous times without typing out their username and password each time. This makes them particularly valuable, and particularly harmful when compromised. Access tokens carry specific value to malicious third parties because once a user’s access token is compromised, all tokens from that user’s shared or connected web applications could potentially become accessible.  In such cases, anyone with access to the token could potentially reset all other user data permissions and steal the tokens of all connected applications without alerting the original user.

Submit Your Information






I accept and agree to the disclaimer and the privacy policy* required

Contact us

We Can Help You Today