Hackers broke into one of Zynga’s older social games, YoVille, and they were able to disrupt the gameplay for a group of fewer than 1,000 players. The social-game company acknowledged the security problem but said it had addressed it.
While the damage is contained, the idea of a security flaw in a Zynga game is scary, since all of them are digital, and protecting them is essential to the company’s livelihood. Nils Puhlmann, chief security officer at Zynga, said in an interview that sensitive information about players was not compromised.
“Credit card numbers are not an issue here,” said Puhlmann. “It is more a case of YoVille players disrupting other YoVille players.”
The incidents occurred over the course of a couple of weeks during the course of April, and Zynga essentially had the problem solved after that, Puhlmann said. In the incidents, some players were able to break into the in-game accounts of other players and deplete their inventory of belongings in the game in a matter of 30 minutes or so, according to one of the players affected.
YoVille has about 230,000 daily active users, or 1.5 million monthly active users. The game was originally posted in 2008 and once had millions more players.
“We detected unusual activity in YoVille, and it coincided with reports from a small number of users,” Puhlmann said. “We analyzed the reports. We found that a small number of vulnerabilities that contributed to the unusual activity. The game team patched these vulnerabilities immediately.”
Zynga had to go through a couple of rounds of iteration before it was able to close off the exploits that players used to attack other players. This naturally caused a lot of consternation inside the game, where players complained about the attacks in forums and felt like Zynga wasn’t doing anything. For a time, players were angry because Zynga had not solved the problem. A group that allegedly took credit for the hacks went by the name The Best YoVille Hackers.
“[Zynga] support often doesn’t help them and give them their stolen items back,” said one player who contacted VentureBeat. “This is a major problem in the gaming world.”
Puhlmann said the infrastructure that was vulnerable and exploited was separate from the security systems that protect more sensitive information such as player identity or credit card information. Puhlmann said the company has investigated the thefts of digital goods and restored them to everybody who lost something at this point. At least that is the case where losses have been verified, Zynga said.
Puhlmann said the malicious activity was limited to YoVille and did not extended to other games. During the process of patching, the game was not taken down. During the course of the investigation, some players were banned, Puhlmann said.
In a statement, Steve Lurie, general manager for YoVille, said, “First and foremost, we want to thank our YoVille players and ensure they have the best experience possible. Since we first identified abnormal activity a few weeks ago, securing YoVille and restoring the games of the affected players have been our top priorities. We quickly searched for and identified the vulnerabilities we believe attackers used to harass our players and patched them immediately. Fortunately, no sensitive player information was at risk, and our assessments indicate that fewer than 1,000 YoVille players were impacted. We will remain vigilant in our ongoing security efforts.”