218 million Words With Friends players lose data to hackers

On 12 September, Zynga released a low-key statement saying that it had been beset by an “unfortunate reality” of doing business today: PR-speak for a data breach.

Zynga – maker of addictive (and crook-tempting) online social games such as FarmVille, Mafia Wars, Café World and Zynga Poker – said at the time that it had immediately launched an investigation. The early good news: it didn’t look like any financial information had been ripped off from players of the targeted games, Words With Friends and Draw Something.

Well, that unfortunate reality has now become a lot more unfortunate: it’s 218 million account passwords worth of misfortune to the Words With Friends players whose accounts were allegedly breached.

On Sunday, Hacker News reported that it’s been in touch with the threat actor known as GnosticPlayers, who claims to be responsible for the Zynga breach.

Another GnosticPlayers feeding frenzy

He/she/they have been in the headlines for gargantuan breaches this year: in March 2019, the hacker(s) put up 26 million records for sale, stolen from six online companies. As we reported then, the first of what would turn out to be four data caches had gone up for sale in early February, when GnosticPlayers tried to sell a database of 617 million records pilfered from 16 companies for $20,000.

Days later, GnosticPlayers added 127 million records stolen from eight websites, before adding a third round on 17 February comprising another 93 million from another eight sites.

Then, in May 2019, GnosticPlayers struck again, claiming to have gotten away with data for roughly 139 million users of Canva, an online design tool.

Names, emails, passwords and more

This time, the repeat offender told Hacker News that they’d breached Words With Friends, Zynga’s popular multiplayer crossword-style game, and gotten access to details on more than 218 million users.

GnosticPlayers said that they got at the details of all Android and iOS game players who installed and signed up for the game on and before 2 September 2019. This is the stolen data that Hacker News found in the sample GnosticPlayers sent over:

• Names
• Email addresses
• Login IDs
• Hashed passwords, SHA1 with salt
• Password reset token (if ever requested)
• Phone numbers (if provided)
• Facebook ID (if connected)
• Zynga account ID

We don’t know exactly what “SHA1 with salt” means, but we do know that it isn’t bcrypt, scrypt, PBKDF2 or any other of the recognised password hashing function you’d hope and expect to have been used.

At any rate, GnosticPlayers also claimed to have drained data from other Zynga-developed games, including Draw Something and the discontinued OMGPOP game, which allegedly exposed clear text passwords for more than 7 million users.

Zynga’s initial breach announcement from 12 September said that it had immediately launched an investigation when it found out about the breach, contacting law enforcement and calling on the help of “leading third-party forensics firms”.

Zynga also said that it had “taken steps to protect these users’ accounts from invalid logins” and that “We plan to notify players as the investigation proceeds further.” Zynga declined to comment on GnosticPlayers’ claims and says it doesn’t have any update on its investigation beyond its 12 September statement.

What to do?

Given Zynga’s mellow first breach announcement, it wouldn’t be very surprising if a good number of players didn’t change their password after being notified about it.

We don’t know if all of GnosticPlayers’ claims are spot-on, but at the very least, they’re a good reason to change your password if you haven’t already. Make it beefy, and whatever you do, make it unique. If you’ve used the same password on other sites or services, change it on those, too, lest GnosticPlayers gets it into their massive maw and adds it to the ever-expanding cache of details they’ve been peddling on the darkweb.

Here are some tips on how to choose decent passwords.

Also, you can watch our video on how to pick a proper password:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

And if a website gives you the option to turn on two-factor authentication (2FA or MFA), do that too. Here’s an informative podcast that tells you all about 2FA, if you’d like to learn more: