Passwords with Friends - 218M Words with Friends accounts hacked

[Spotty]

Source: https://thehackernews.com/2019/09/zynga-game-hacking.html

Source: https://investor.zynga.com/news-releases/news-release-details/player-security-announcement

 

Popular mobile game Words with Friends from Zynga Inc has been hacked with the hacker known as "Gnosticplayers" allegedly obtaining names, email addresses, hashed passwords, phone numbers, and more. According to The Hacker News account information for over 218 million accounts has been accessed.

Quote

Going by the online alias Gnosticplayers, the serial hacker told The Hacker News that this time, he managed to breach "Words With Friends," a popular Zynga-developed word puzzle game, and unauthorisedly access a massive database of more than 218 million users.

According to the hacker, the data breach affected all Android and iOS game players who installed and signed up for the 'Words With Friends' game on and before 2nd September this year.

 

Quote

Based on a sample data Gnosticplayers shared with The Hacker News, the stolen users' information includes their:
 

• Names
• Email addresses
• Login IDs
• Hashed passwords, SHA1 with salt
• Password reset token (if ever requested)
• Phone numbers (if provided)
• Facebook ID (if connected)
• Zynga account ID

Zynga's other apps including Draw Something have also been affected, as well as 'OMGPOP' app which allegedly had user passwords stored in plain text.

Quote

Besides this, the hacker also claims to have hacked data belonging to some other Zynga-developed games, including Draw Something and the discontinued OMGPOP game, which allegedly exposed clear text passwords for more than 7 million users.

Words with Friends company Zynga Inc has released a statement a few weeks ago acknowledging the hackers claim, however did not confirm the extent of the hack and how many accounts were affected.

Quote

Cyber attacks are one of the unfortunate realities of doing business today.  We recently discovered that certain player account information may have been illegally accessed by outside hackers.  An investigation was immediately commenced, leading third-party forensics firms were retained to assist, and we have contacted law enforcement.

While the investigation is ongoing, we do not believe any financial information was accessed.  However, we have identified account login information for certain players of Draw Something and Words With Friends that may have been accessed.  As a precaution, we have taken steps to protect these users’ accounts from invalid logins.  We plan to further notify players as the investigation proceeds.

 

 

The hacker "Gnosticplayers" attributed to this breach was responsible for other large scale hacks of recent years, including...

Quote

• Dubsmash — 162 million accounts
• MyFitnessPal — 151 million accounts
• MyHeritage — 92 million accounts
• ShareThis — 41 million accounts
• HauteLook — 28 million accounts
• Animoto — 25 million accounts
• EyeEm — 22 million accounts
• 8fit — 20 million accounts
• Whitepages — 18 million accounts
• Fotolog — 16 million accounts
• 500px — 15 million accounts
• Armor Games — 11 million accounts
• BookMate — 8 million accounts
• CoffeeMeetsBagel — 6 million accounts
• Artsy — 1 million accounts
• DataCamp — 700,000 accounts

^{https://thehackernews.com/2019/02/data-breach-website.html}

 

Quote

• Youthmanual — Indonesian college and career platform — 1.12 million accounts
• GameSalad — Online learning platform —1.5 million accounts
• Bukalapak — Online Shopping Site — 13 million accounts
• Lifebear — Japanese Online Notebook — 3.86 million accounts
• EstanteVirtual — Online Bookstore — 5.45 Million accounts
• Coubic — Appointment Scheduling — 1.5 million accounts

^{https://thehackernews.com/2019/03/data-breach-security.html}

 

Quote

• Pizap (Photo editor) — 60 million
• Jobandtalent (Online job portal) — 11 million
• Gfycat (GIF hosting service) — 8 million
• Storybird (Online publishing platform) — 4 million
• Legendas.tv (Movie streaming site) — 3.8 million
• Onebip (Mobile payment service) — 2.6 million
• Classpass (Fitness and Yoga center) — 1.5 million
• Streeteasy (Real estate) — 990,000 (1 million)

^{https://thehackernews.com/2019/02/data-breach-sale-darkweb.html}

 

This hacker has a history of selling these dumps for profit, so if you were affected by this hack there's a good chance that the highest bidder already has your information.

Seems every few days there's another company that has been breached and everyone's personal information is stolen. I wonder if we will ever reach a point where the market is saturated with stolen personal information that it becomes essentially worthless to the hackers? That might be the only way to stop this from happening, as it has been proven time and time again that the companies we are trusting with our personal information are not properly securing it.
 

[Guest]

BaZynga!

[Dujith]

Correct me if i am wrong, but hashed passwords means that its not stored as a password, but as mathematical solution? 

So even if they got the key, there would be no way to retrieve the password. 

 

Having said that, with all the other info in this it would be easy to get in

 

 

[Spotty]

1 minute ago, Dujith said:

Correct me if i am wrong, but hashed passwords means that its not stored as a password, but as mathematical solution? 

So even if they got the key, there would be no way to retrieve the password. 

 

Having said that, with all the other info in this it would be easy to get in

 

 

That's correct. 

The article does state that one of their other games had account passwords stored in plain text, meaning anyone can view it.

 

While the hashed passwords might not be helpful, information such as names, email addresses, phone numbers, and so on can be used for things such as scams. Think of receiving an email with your name and phone number saying they're from a bank and need you to log in to your account to review suspicious account activity, but really it's just scammers stealing your bank login info. Most people won't fall for it, but some will.

 

Also, who is providing mobile games with their phone numbers? Is it just one of those "add your phone number to find contacts to play with and get an extra 150 gems to spend on things" type deals? I can't think of any other reason the app would ask for phone numbers.

[rcmaehl]

Pretty sure when I set up my WWF account is was via the facebook app, so all that should really be leaked is my Facebook ID. I'm going to double check right now though...

 

EDIT: Yep, looks like it. Thank god for Overly Zealous facebook integration in apps.

[jiyeon]

I'll take Password for 14!

[TetraSky]

So if you signed in with Facebook, you're not affected, is that what I'm getting here?

[Master Disaster]

8 minutes ago, TetraSky said:

So if you signed in with Facebook, you're not affected, is that what I'm getting here?

If you signed in with Facebook then you're a Facebook user and have problems bigger than a information hack to worry about.

[Spotty]

10 minutes ago, TetraSky said:

So if you signed in with Facebook, you're not affected, is that what I'm getting here?

The breakdown of what information came from what type of users isn't clear. It's possible that they might still have other associated information like your name and possibly phone number as well if you gave it to the app or allowed it permission to access those details on your phone. I honestly don't know.

I wouldn't take for granted that logging in via Facebook would offer protection. 

[Froody129]

Uh oh... I played like 2 games on it years and years ago.

---

 

CAN WE ALL STOP STORING SENSITIVE USER INFORMATION IN PLAIN TEXT PLSTHX

[mr moose]

8 hours ago, Spotty said:

 I wonder if we will ever reach a point where the market is saturated with stolen personal information that it becomes essentially worthless to the hackers?
 

I often wonder about that, in my day everyone's name, street and phone number was listed in the phone book.

 

[spartaman64]

11 hours ago, Dujith said:

Correct me if i am wrong, but hashed passwords means that its not stored as a password, but as mathematical solution? 

So even if they got the key, there would be no way to retrieve the password. 

 

Having said that, with all the other info in this it would be easy to get in

 

 

depends on how secure/complex your password is and the hashing algorithm they use. weak hashing algorithms like SHA1 are completely solved. and the hackers can pass common passwords/words into the hashing algorithm and compare the results and use that to determine what your password is. some passwords you might think are pretty secure can be cracked with this method if they have a good password database. thats why websites that are really concerned with this should salt and hash the password a salt is some random value that is hashed along with your password

 

they are using salted SHA1 hashes. Its better than nothing but SHA1 shouldnt be used to store passwords salted or not imo

[spartaman64]

8 hours ago, TetraSky said:

So if you signed in with Facebook, you're not affected, is that what I'm getting here?

password wise probably. they shouldnt have stored your password if you signed in with facebook unless they are dumb

[rcmaehl]

22 hours ago, Froody129 said:

CAN WE ALL STOP STORING SENSITIVE USER INFORMATION IN PLAIN TEXT PLSTHX

It wasn't just plain text... It was also a horrible, insecure version of SHA that was broken a couple years ago. It was theorized to be vulnerable since 2005. So if they were picking a hashing algorithm they should have been more than aware.

 

https://www.computerworld.com/article/3173616/the-sha1-hash-function-is-now-completely-unsafe.html

[NumLock21]

Every time I heard these security breech or some site got hacked, it's like as if my life is in peril, but when I look closer at it, 99% of it are from sites and services I never heard about. So, should I not care, or pretend to care.

[TempestCatto]

On 9/30/2019 at 7:27 AM, Spotty said:

had user passwords stored in plain text.

[TechyBen]

20 hours ago, mr moose said:

I often wonder about that, in my day everyone's name, street and phone number was listed in the phone book.

 

But not house keys and wage packets.

[mr moose]

2 hours ago, TechyBen said:

But not house keys and wage packets.

I don't know any apps or software/internet services that require a copy of your house key or wage information.  Even if you were applying for a loan (an incredibly long way from the context of general consumer goods/software) they still don't ask for a copy of your key.

[TechyBen]

41 minutes ago, mr moose said:

I don't know any apps or software/internet services that require a copy of your house key or wage information.  Even if you were applying for a loan (an incredibly long way from the context of general consumer goods/software) they still don't ask for a copy of your key.

Nope. But they do have passwords and purchase history.

 

[ZacoAttaco]

7 hours ago, rcmaehl said:

It wasn't just plain text... It was also a horrible, insecure version of SHA that was broken a couple years ago. It was theorized to be vulnerable since 2005. So if they were picking a hashing algorithm they should have been more than aware.

 

https://www.computerworld.com/article/3173616/the-sha1-hash-function-is-now-completely-unsafe.html

Surely there has to be some regulations about these kind of practices. No passwords should be stored in plain text. No passwords should be 'secured' with encryption methods that have been solved. Where are these laws about securing users information and companies doing their due dillegence? Does this fall under the GDPR?