Game developer Zynga has been one of the biggest names in mobile and social gaming since these things began a little over a decade ago, becoming an overnight sensation with Farmville and keeping that momentum going with a string of hits such as Words With Friends and Draw Something. Unfortunately, the company has also found a spot on the list of the largest data breaches of all time. A major breach of usernames and passwords that happened this past September has been confirmed by the company, and it has turned out to be nearly as big as the initial reports indicated. Over 170 million people appear to have been compromised.
The Zynga password breach
The password breach was first reported in September of 2019, when a Pakistani hacker by the name of “Gnosticplayers” reached out to The Hacker News. At the time, the hacker claimed to have gained access to the accounts of 218 million Zynga users including passwords and personal information. Gnosticplayers is a known quantity in the digital criminal underground, having been observed selling hundreds of millions of breached accounts on the dark web since early 2019.
Zynga confirmed that the company had been breached in September, but declined to confirm the number of accounts or issue their own estimate until recently. It does not appear that Zynga users were notified when the original breach news broke.
The data breach appears to exclusively affect mobile players who installed the Android or iOS version of Words With Friends, Draw Something or the long-defunct OMGPOP platform. Zynga did not specify a breach window. However, given that OMGPOP shut down in 2013 and the number of 170 million accounts is more than double Zynga’s current user base of about 68 million players, it is possible that all accounts dating back to the launch of each game have been compromised.
The Hacker News confirmed that the stolen data included hashed and salted passwords, any password reset tokens that users might have requested, full names, email addresses, phone numbers and Facebook IDs. The passwords were secured with SHA-1 cryptography, which has been considered outdated and insecure since before Zynga was even founded. The hacker additionally claims that they were able to access plaintext passwords for about 7 million former users of the OMGPOP platform.
The primary concern is the use of these username and password combinations in credential stuffing attacks to compromise accounts at other services that use the same information. However, the password breach also provides enough information for hackers to potentially create targeted phishing attacks made up to look as if they are an official communication from Zynga.
The Have I Been Pwned website has been updated with the affected accounts, and concerned parties can search by email address to see if their Zynga account was compromised. Given the size of the breach, it would be wise for anyone with a Zynga account to change their password even if they did not play the affected mobile versions of these games. The amount of account records compromised would make this the 10th largest data breach of all time.
Though Zynga issued a public statement admitting to a password breach back in September, some Zynga users are reporting that they received no notification of it from the company then and may still not have been notified.
Oz Alashe, CEO of cyber security awareness platform and cloud data analytics platform CybSafe, observed that the amount of time that has passed makes it likely that these stolen passwords have been decrypted:
“The disclosure of the full scale and nature of this breach, some three months after the initial announcement, is concerning. This delay, and the initial lack of information provided by Zynga to its users, has put victims at unnecessary risk.
“Especially now that the extent of the breach is clear, users who think they may have registered to use one of Zynga’s products, such as Farmville and Words With Friends, should navigate to haveibeenpwned.com to confirm whether they are impacted. Those who discover that their details have been compromised need to promptly act to change their passwords.
“The details compromised in this breach are incredibly serious, including 7 million unprotected passwords. Based on Gnosticplayers’ previous behaviour following similar attacks, the group may well decide to sell these details on the dark web – if they haven’t already done so.
“Buyers are likely to use these details as a central database to undertake credential stuffing attacks. Compromised pairs of emails and passwords could be injected into commercial websites like Amazon and Ebay in order to fraudulently gain access. The vast majority of email and password combos won’t work, but a few will. That’s because many people reuse the same credentials on multiple websites.”
Since Gnosticplayers has already sold millions of breached accounts on the dark web in 2019 alone, there is no reason to believe these were not also passed on relatively quickly after the early September breach date. While the majority of the passwords stolen were hashed and salted, the outdated SHA-1 encryption has recently shown to be theoretically breakable with as little as about $100,000 USD in cloud computing resources. Criminals who already have local hardware in place could conceivably do it for quite a bit less. It should be assumed that all of these stolen passwords will be available in the wild at some point, if they are not already.
Co-Founder and CTO Chris DeRamus of DivvyCloud sees the Zynga password breach as yet more evidence that end users have to take the lion’s share of data security responsibility upon themselves:
“Zynga’s response to its breach demonstrates how some organizations tend to view proper security as an afterthought. Companies falsely believe that they are faced with a lose-lose choice of innovating in the cloud and remaining competitive, or prioritizing security but moving at a slower and harming their overall market share as a result. However, this is a false choice – organizations can innovate while remaining secure if they implement the proper security controls as they adopt cloud. An automated cloud security strategy can help organizations detect misconfigurations and other threats, then either alert the appropriate personnel of the issue or trigger an automated remediation – all in real-time.”
Robert Prigge, President of Jumio, suggests that biometric authentication may be necessary to protect against password breach incidents like these in the future:
“Zynga’s data breach exposing the usernames, emails and passwords of more than 200 million users further demonstrates that user data is never safe. Whether playing innocent games on your phone or ordering food from DoorDash, cybercriminals are looking for every opportunity possible to acquire user data. This exposed information is sure to find a home on the dark web, enabling fraudsters to log into user accounts and commit account takeover fraud. Because these games are often connected to user Facebook accounts, hackers can gain access to far more information under a forged identity. According to BuiltWith, there are over 190,000 websites that are Facebook Login Button customers and almost 40,000 live websites using Facebook Login Button. Logging in with this stolen information (including the 7 million Draw Something passwords left in clear text with this breach) makes it impossible to determine if the actual account holder is the one logging in. It’s apparent that these traditional authentication methods can no longer be trusted – companies must adopt biometric-based authentication to ensure a user’s data remains in the right hands.”
Short of a sudden burst of enlightenment from all of the internet-based companies that collect user data, end users can expect major password breach incidents such as these to continue to crop up from time to time. Taking proactive steps to protect yourself from breaches is prudent. Breach notification extensions for browsers, such as Password Checker for Google Chrome (soon to be incorporated into core Chrome functionality) and Firefox Monitor, can help to tip you off early in situations like these when the responsible company does not opt to notify all affected users of cyber attacks in a timely manner.