A Pakistani hacker who previously made headlines earlier this year for selling almost a billion user records stolen from nearly 45 popular online services has now claimed to have hacked the popular mobile social game company Zynga Inc.
With a current market capitalization of over $5 billion, Zynga is one of the world’s most successful social game developers with a collection of hit online games—including FarmVille, Words With Friends, Zynga Poker, Mafia Wars, and Café World—with over a billion players worldwide.
Going by the online alias Gnosticplayers, the serial hacker told The Hacker News that this time, he managed to breach “Words With Friends,” a popular Zynga-developed word puzzle game, and unauthorisedly access a massive database of more than 218 million users.
According to the hacker, the data breach affected all Android and iOS game players who installed and signed up for the ‘Words With Friends’ game on and before 2nd September this year.
In a statement published over a week ago, Zynga admitted the data breach, revealing that the “account login information for certain players of Draw Something and Words With Friends that may have been accessed,” though the company did not reveal the number of affected users.
“We recently discovered that certain player account information may have been illegally accessed by outside hackers.” reads the statement.
Based on a sample data Gnosticplayers shared with The Hacker News, the stolen users’ information includes their:
- Email addresses
- Login IDs
- Hashed passwords, SHA1 with salt
- Password reset token (if ever requested)
- Phone numbers (if provided)
- Facebook ID (if connected)
- Zynga account ID
Besides this, the hacker also claims to have hacked data belonging to some other Zynga-developed games, including Draw Something and the discontinued OMGPOP game, which allegedly exposed clear text passwords for more than 7 million users.
“An investigation was immediately commenced, leading third-party forensics firms were retained to assist, and we have contacted law enforcement,” the company said.
“As a precaution, we have taken steps to protect these users’ accounts from invalid logins. We plan to notify players as the investigation proceeds further.”
What’s your take? If you are a user of the Words With Friends game, you should immediately change the password for your account and also on other services in the event you re-used the same password.
The Hacker News has already reached out to Zynga for a comment and will update this story if we hear back.
In March 2019, the same hacker compromised over 26 million online accounts originating from 6 websites and put the stolen records for sale on the popular dark-web market called Dream Market.
In February, the hacker made three rounds of stolen accounts up for sale on Dream Market, posting details of 620 million online accounts stolen from 16 websites in the first round, 127 million from 8 sites in the second, and 92 million from 8 websites in the third.
- Hacker Breaches Dozens of Sites, Puts 127 Million New Records Up for Sale
- Round 4 — Hacker Puts 26 Million New Accounts Up For Sale On Dark Web
- Over 92 Million New Accounts Up for Sale from More Unreported Breaches
- Flipboard Database Hacked — Users’ Account Information Exposed
- Hacker Breaks Into Stack Overflow Q&A Site, No Evidence of Data Breach