How Did the Words with Friends Data Breach Occur?

If you play Words with Friends, your personal information may have been hacked during a data breach last September.

A hacker allegedly stole account login information and possibly other data of more than 200 million players of Words with Friends, a popular mobile game by Zynga Inc.

Words With Friends Data Breach Overview

According to CNET, Zynga said a data breach involving the accounts of Draw Something and Words with Friends players occurred on Sept. 12. Zynga hired a third-party computer forensics company to help investigate the data breach and contacted law enforcement officers.

A hacker from Pakistan known as Gnosticplayers took responsibility for the breach. According to Hacker News, Gnosticplayers purportedly stole and sold nearly one billion records illegally tapped from 45 different online services.

Player names, email addresses, login IDs and passwords could have been exposed, but Zynga reported, “Our current understanding is that no financial information was accessed.”

Android and iOS players who installed the mobile app prior to Sept. 2 could have had their data accessed, according to Hacker News.

How Many Players Details Were Leaked?

The data of more than 218 million players was accessed. According to Zynga, the company took steps to prevent players’ accounts from invalid login attempts in cases where it appears passwords could have been accessed. Zynga also said users may be prompted to change their passwords.

An additional 7 million player accounts in the mobile app Draw Something and a discontinued game called OMGPOP may have been accessed by Gnosticplayers, too, during the same Words with Friends data breach, according to The Hacker News.

Zynga says it has more than one billion players who play CSR Racing, Empires & Puzzles, Merge Dragons, Words with Friends, Zynga Poker, and other games that are available through mobile devices and across social platforms. The company was founded in 2007 and has its headquarters in San Francisco. Zynga reported a 56 percent year-over-year gain in operating cash flow, which totaled $263 million in 2019.

Zynga reported cash and investments totaling about $1.43 billion as of March 31.

What Kind of Data Was Leaked?

Gnosticplayers reportedly showed The Hacker News a sample of the information the hacker was able to obtain.

Player names, email addresses, login IDs, phone numbers (when provided), Facebook IDs (when connected through Facebook), and Zynga account IDs. In addition, the hacker was able to obtain a password reset token if one was ever requested by the user.

Finally, the hacker was able to access hashed passwords, SHA1 with salt. This is computer jargon for extra measures put in place to safeguard passwords. A hashed password is one that has been scrambled. When a password is salted, it means a random set of characters has been added to the front of the password.

The SHA1 reference is Secure Hash Algorithm 1, which is a cryptographic hashing algorithm that has not been used much since 2005 because other types of algorithms are more secure. SHA1 was created by the U.S. National Security Agency in 1993.

Gnosticplayers has committed several data breaches over the past couple of years, exposing hundreds of millions of user records. The hacker sells the records on the dark web where the data may be used to create false identities, to gain access to unauthorized credit cards or loans, or to further other criminal activity. He receives payment through untraceable bitcoin, a type of cyber currency.

According to ZDNet, other companies targeted by Gnosticplayers include:

• GameSalad, a game developing platform
• Estante Virtual, an online bookstore from Brazil
• Bukalapak, a large e-commerce company from Indonesia
• YouthManuals, an Indonesian student career guidance website
• Coubic, an online task management system
• LifeBear, a scheduling app

Gnosticplayers reportedly told ZDNet that he continues to hack and sell user records because he “got upset” about security protocols continuing to be relatively lax among companies.

What Can You Do if You Were Affected By the Words With Friends Data Breach?

Several class action lawsuits have been filed against Zynga, accusing the company of failing to protect customer data and failing to respond adequately to the data breach.

Lawsuits allege affected players are exposed to a greater risk of credit scams and identity theft, phishing scams, and other fraudulent activity that could cost them time and money.

Should You Join a Words With Friends Lawsuit?

If you created an account with Zynga’s Words with Friends or Draw Something before September 2019, your personal information could have been accessed because of the data breach.

Past data breach class action lawsuits have settled for millions of dollars.

Due to the increased risk of identity theft and other malfeasance, you may want to join this Words with Friends data breach class action lawsuit investigation.

Join a Free ‘Words with Friends’ & ‘Draw Something’ Class Action Lawsuit Investigation

If you are a user of “Words with Friends” or “Draw Something” and created your account with Zynga for one of these games prior to September 2019, your information may have been compromised in this data breach, and you may qualify to join this “Words with Friends” & “Draw Something” data breach class action lawsuit investigation.

Get a Free Case Evaluation

This article is not legal advice. It is presented
for informational purposes only.