Hackers stole 46 million records from a popular online kids’ game Animal Jam after compromising a Slack server used by WildWorks for intra-company communication. WildWorks CEO Clary Stacey said that the hackers obtained the AWS security key from the third-party server and used it to access the players’ database.
Data leaked included personally identifiable information (PII) that could be used to identify the children’s parents. Later, a threat actor started circulating the database on a popular underground hacker forum, raidforums.com. The cybercriminal claimed that he obtained the database from hacking group, ShinyHunters.
Launched in 2010, the online kids’ game platform has over 300 million individual avatars and over 130 million users, and is available in 225 countries. WildWorks dealt with the data breach transparently after receiving Bleeping Computer’s alert on November 11, 2020.
Details leaked from the online kids’ game platform data breach
The threat actor freely released two databases named “game_accounts” and “users” containing 7 million records. The data breach affected accounts created on the online kids’ game platform over the past ten years.
WildWorks data breach exposed details including parents’ full names, gender, birth dates, and billing addresses. The company disclosed that the database had email addresses of approximately 7 million Animal Jam and Animal Jam Classic parents’ accounts.
Additionally, 32 million players’ usernames and encrypted passwords were exposed. Birth years of 14.8 million of the online kids’ game players entered during registration were also leaked in the breach. Other details included the gender and the full birthdays of 23.9 and 5.7 million accounts, respectively.
Parents’ full names and billing addresses, excluding other billing information, were also exposed from 12,653 accounts. An additional 16,131 accounts leaked the parents’ first and last name but no billing addresses.
The online kids’ game developer assured parents that the leaked database did not include children names. WildWorks had a policy of manually reviewing applications to ensure that parents did not use their children’s names as usernames.
Billing names and billing addresses were included in just 0.02% of the records, according to the company. The online kids’ game company added that “no billing information was stolen, nor information that could potentially identify parents of players” was leaked from the remaining records.
WildWorks response was transparent
Bleeping Computer security researchers notified the online kids’ game developer of the attack on November 11. After learning of the data breach, WildWorks immediately secured the database to prevent further unauthorized access. BleepingComputer researchers also noted that the stolen data did not circulate further.
The online kids’ game company also forced its users to reset their passwords and advised them to check their data on HaveIBeenPwned. Users were also advised to create long and strong passwords and warned against using dictionary words, which are easy to decrypt.
Additionally, WildWorks recommended that users should change their passwords on other online platforms where they may have reused the leaked passwords. The company added that it was working with federal and international law enforcement agencies to apprehend and prosecute the criminals responsible for the data breach.
Gaming platforms are attractive targets for cybercriminals wishing to steal valuable personal data. Various platforms and games including “Among Us,” “Watch Dogs: Legion,” “CapCom,” and “MineCraft Roblox” had suffered attacks from multiple threat actors, including the Ragnar Locker ransomware gang.
KnowBe4 security awareness advocate Javvad Malik commended WildWorks for graciously handling the data breach.
“It’s reassuring to see Animal Jam take a proactive stance in investigating the breach and being transparent in their approach.”
He also disapproved of the invasiveness of technology in our daily lives, including those of young children.
“However, it raises the question as to how deeply embedded technology has become in all aspects of our lives, where even children’s toys and games need accounts to be set up which potentially can hold sensitive information – and make an attractive target to attackers,” Malik said.
He discouraged companies from collecting unnecessary data as a way to prevent sensitive information from falling into the wrong hands.
“While no one approach will be able to prevent all breaches, it’s important that data isn’t collected unless necessary, and the data that is collected, is done for legitimate purposes and secured properly.”
David “Moose” Wolpoff , co-founder and CTO of Randori, commented that leaking a privileged AWS key could have serious security repercussions, and evicting a privileged attacker from cloud infrastructure was very challenging.
“The theft of an AWS key can mean very different things from event to event, because different keys have differing access permissions. In the worst cases, the compromise of a highly privileged key can mean that the whole infrastructure is compromised, whereas a key with very restricted access might only be able to access a specific resource. What I’ve seen, or performed, compromise of very privileged keys, I can say that it can be very hard to evict such an attacker from your infrastructure. Without specifics about the WildWorks, we don’t know for certain, but the scope of the compromise as reported certainly indicates that this was a less severe incident.”