Skip to content
Naked Security Naked Security

Zynga faces class action suit over massive Words With Friends hack

It's charging subpar password security and lousy user notification: Zynga has yet to notify users to warn them of the breach, the suit says.

Zynga – maker of addictive (and crook-tempting) online social games such as FarmVille, Mafia Wars, Café World and Zynga Poker – is facing a potential class action lawsuit over the September 2019 breach in which hackers got access to more than 218 million Words with Friends accounts.
Zynga’s Draw Something was also targeted in the September breach.
The threat actor known as GnosticPlayers went on to claim responsibility for the breach – yet another cache to add to the nearly one billion user records they’d already claimed to have stolen from nearly 45 popular online services earlier in 2019.
Zynga admitted to the breach at the time, saying that hackers got their hands on “certain player account information” but that, at least during the early stages of its investigation, it didn’t think any financial information was accessed.
The game maker didn’t disclose how many accounts were affected, saying only that they’d contact players with affected accounts. Have I Been Pwned confirmed in December 2019 that more than 173 million accounts were hit.
Hacker News, which scrutinized a sample sent over by GnosticPlayers, said that the breached data included names, emails, Login IDs, hashed passwords – “SHA1 with salt”, password reset tokens, Zynga account IDs, and connections to Facebook and other social media services.
We don’t know exactly what “SHA1 with salt” means, but we do know that it isn’t bcrypt, scrypt, PBKDF2 or any other of the recognized password hashing functions you’d hope and expect to have been used.
At any rate, GnosticPlayers also claimed to have drained data from other Zynga-developed games, including Draw Something and the discontinued OMGPOP game, which allegedly exposed clear text passwords for more than seven million users.
The complaint (PDF), which is seeking a jury trial and class status, was filed on Tuesday in the US District Court for California. The plaintiffs’ lawyers say that Zynga allegedly failed “to reasonably safeguard” player information, referring to Zynga’s “substandard password security.”
The failed complaint also maintains that Zynga failed to notify users in a timely manner. It’s charging Zynga with being responsible for the plaintiffs’ personally identifiable information (PII) being…

…accessed, acquired, and stolen for the purpose of of misusing the Plaintiffs’ data and causing further irreparable harm to Plaintiffs’ personal, financial, reputational, and future well-being.
After the theft of Plaintiffs’ PII from Zynga’s platform, it was distributed to and among hacker forums and other identity and financial thieves for the purpose of illegally misusing, reselling, and stealing Plaintiffs’ PII and identity.

Plaintiffs have been damaged as a result, their lawyers said in the complaint.

The suit was brought on behalf of two affected users, one of whom is a parent of an affected user who’s underage, and one of whom had a Zynga account herself.
The Plaintiffs’ lawyers suggest that Zynga “unconscionably” deceived users regarding the safety and protection of their user information. They also maintain that a large number of minor children were implicated in the breach, pointing to a study that estimates that 8% of all mobile gamers are between the ages of 13 and 17.
As the lawyers noted, the Federal Trade Commission (FTC) has said that when children are victims of a data breach, “it might be years before you or your child realizes there’s a problem.”
The lawsuit lists 14 counts of action and claims for relief, ranging from negligence and violation of state data breach statutes to unjust enrichment.
It also claims that while Zynga posted a warning on its website, it has yet to notify users to warn them of the breach, with the class arguing the company “effectively hid the fact that it suffered a data breach” and instead spent the time “shoring up its legal defenses.”
From the complaint:

Only those users who happened to visit Zynga’s website on their own volition, read about the breach in the news, or had signed up to receive email data breach notifications from independent third parties that monitor data breaches were made aware of the breach.

The plaintiffs, along with others affected by the breach, are at risk of fraud, identity theft, and criminal misuse of their personal information “for years to come,” the lawsuit argues.
As of Wednesday afternoon, Zynga hadn’t responded to media requests for comment.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.


“We don’t know exactly what “SHA1 with salt” means… ”
Yet, here you are, talking about internet security… 🙄


Well, I know a fair bit about secure password storage and although I didn’t write this article, I don’t “know exactly what SHA-1 with salt” means either.
I know *kind of* what it means – but I also know that there are no password hashing algorithms I’d recommend that use SHA-1 on its own; that just adding a salt doesn’t slow down attacks against individual passwords at all; and that if I were declaring what password storage algorithm I had used, even if it were non-standard, I’d give more detail than that. For all we know, “SHA-1 with salt” might mean that 2 random characters of salt were prepended to the password string, which was then put through 1 iteration of SHA-1. In that case, brute force attacks could be run at native SHA-1 hashing speeds, and you would need a comparatively modest number of precomputed lookup tables for instantaneous dictionary attacks. (2 characters of salt give about 12 bits of extra variability to each password, so you’d need about 4000 lookup tables to crack common passwords by simply lookup.)
And I’ll wager that’s exactly what Lisa meant by saying she wasn’t “exactly sure”, too.
We know what SHA-1 is; we know what a salt is; but more information is required to make a decision on just how easy it might be to do a dictionary attack on the passwords. Notably, there’s no mention of the size of the salt, and no mention of any “stretching”, which is the jargon word for rehashing the password over and over again to eat up time so that individual logins are delayed by no more than, say, one second while dictionary attacks are made to take, say, 50,000 times longer each.
That’s why using well-specified password derivation functions such as PBKDF-2 or bcrypt is strongly recommended. Then you can be clear about the the amount of work an attacker would have to expend on cracking each password – you can tell your users what hash function you used (HMAC-SHA-256 is what I would suggest); how many bytes of randomness you added as a salt (I’d use 128 bits of good-quality randomness, e.g. /dev/urandom); and how many iterations (I would go for about 100,000 in 2020).


Excellent explanation of this issue, finally. Zynga should’ve been more expedite of this issue. I, like thousands of others, have been left in the dark, when Words went down. Please, remove Words from games ready to play, until this matter is resolved.
Waiting to play!


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!