The Hacker News reported that a hacker who goes by the online alias Gnosticplayers said he breached the game and got the player data, just as the hacker allegedly also gained access to a billion user records stolen from 45 online services earlier this year.
The alleged Zynga breach is serious because Zynga has so many players. More than a billion people have played the company’s games. The data breach allegedly affects all Android and iOS players who installed and signed up for Words With Friends before September 2, 2019.
In a statement, Zynga acknowledged the data breach. It posted the announcement on its customer support site on September 12, but news of the breach did not surface until yesterday.
It’s been quite a while since Zynga had a security breach. Back in 2012, hackers disrupted the play of Zynga’s YoVille social game on Facebook.
The San Francisco company did not reveal the number of affected people. The hacker reportedly got access to names, email addresses, login IDs, hashed passwords, SHA1 with salt, password reset tokens (if ever requested), phone numbers (if provided), Facebook ID (if connected), and Zynga account ID.
The company said it is notifying users of any suspicious logins and is prompting them to change their passwords. Regarding passwords, Zynga said, “Zynga does not collect your passwords for Facebook, Android, or iOS, and we have no indication that this information was involved in the event.”
Zynga said it has commenced an investigation and is using third-party forensics firms to assist. It has also contacted law enforcement. Zynga’s statement on September 12 said:
Cyber attacks are one of the unfortunate realities of doing business today. We recently discovered that certain player account information may have been illegally accessed by outside hackers. An investigation was immediately commenced, leading third-party forensics firms were retained to assist, and we have contacted law enforcement.
Our current understanding is that no financial information was accessed. However, we understand that account information for certain players of certain Zynga games may have been accessed. As a precaution, we have taken steps to protect certain players’ accounts from invalid logins, including but not limited to where we believe that passwords may have been accessed. Zynga has begun the process of sending individual notices to players where we believe that notice is required.
The security of our player data is extremely important to us. We have worked hard to address this matter and remain committed to supporting our community.