Skip to content
Naked Security Naked Security

Disney’s “Playdom” games forum breached, passwords plundered

According to Disney's breach notification, the crooks "acquired passwords," which means they were stored in plaintext. Here's what to do.

Playdom is an online games company that was acquired by Disney back in 2010.

Most of its games seem to have been shut down some time ago, with just three titles left on the Playdom website, which is still tagged with a copyright message dated 2014. (Marvel: Avengers Alliance; Star Wars: Commander; and Guardians of the Galaxy: The Universal Weapon.)

The Playdom online forums lived well past 2014, however, powered by software known as vBulletin 4.2.2.

This image is a screenshot taken by the Wayback Machine’s internet archiving system, back in March 2016:

This weekend, however, Disney announced that the Playdom forums have now been “retired due to security issues“.

Even though vBulletin 4.2.2 is not the latest version, it is still receiving security updates, including one denoted 4.2.2 Patch Level 5, dated 16 June 2016.

We don’t know whether the vulnerability patched in 4.2.2 Patch Level 5 was found proactively, or was noticed only after crooks began to exploit it.

What we do know is that hackers stole data from the Playdom forums on 09 June 2016 and 12 June 2016, before the latest patch was available.

According to Disney:

The unauthorized party acquired the usernames, email addresses, and passwords for playdomforums.com accounts, as well as the Internet Protocol (IP) addresses collected during user registration on playdomforums.com.

Taken literally, which is the only useful way to read a data breach notice, this statement tells us that Playdom Forums must have been storing passwords in plaintext, without any form of hashing or encryption.

Otherwise the hackers wouldn’t have “acquired the passwords”, they’d have acquired some representation of the passwords that would need further cracking to reveal the actual passwords used. (To learn why, please read our Serious Security article on How to store your users’ passwords safely.)

Under the circumstances, shutting down the forums permanently was probably a wise move, even though it won’t get the stolen data back.

What to do?

  • If you used the same password on any other sites, change those passwords right now, and don’t re-use passwords again!
  • If you’re running online user forums, check that your forum software is patched right now.
  • Never store passwords in plaintext. It was unacceptable back in 1986, so it’s more than unacceptable in 2016.

The silver lining is that it looks as though you don’t need to close your Playdom account, because that’s happened as a side-effect of the forums being retired.

What would be handy to hear from Disney, however, is what it plans to do the data in your now-shuttered account, considering that you can no longer login to delete it yourself…


5 Comments

“still tagged with a copyright message dated 2014”
Everyone’s got a full plate, so I try to not be judgmental but can’t help myself when I notice this on a site.

I’m sure Disney has simply purged the now-closed account data, not planning to use it for marketing purposes of any sort.

Reply

Huh? If you haven’t changed a webpage since 2014, your copyright notice should not have a newer date,

Reply

Er, that was sort of the point I was trying to make: seems that the software ecosystem for the remaining games hasn’t changed.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!