173 Million Zynga Users Affected in ‘Words with Friends’ Hack
Many gamers don’t understand that playing a mobile game can jeopardize the security of their other online accounts. In September 2019, a hacker with the handle “Gnosticplayers” gained access to a Zynga database that contained the user account data for people who installed Words with Friends, Draw Something, or OMGPOP.
Unfortunately for Zynga users, the hacker was not playing games. He was able to gain access to the data of over 170 million users, making this data breach one of the biggest of all time. But it goes further than that; it’s possible that by gaining access to this data, the hacker effectively compromised all user accounts dating back to the launch of each game.
Zynga performed its due diligence despite it all; it notified law enforcement and internally investigated the hack. Zynga also notified its users and told them to change their passwords immediately.
So, how was this hacker able to capture so much data?
During the Zynga hack, the hacker gained access to plain text passwords and hashed passwords using outdated, insecure SHA-1 cryptography. Unfortunately, Zynga was not storing its users’ passwords securely. This kind of hack could have caused a lot of collateral damage. If Zynga had performed a thorough vulnerability assessment, it could have exposed this flaw early, making the hashed passwords useless to a hacker.
The insecure passwords put the Zynga users’ other accounts at risk because many people use the same passwords on multiple online accounts; therefore, the hacker might have had the keys to the victims’ email accounts, social network accounts, or even bank accounts.
While Zynga didn’t disclose how the hacker was able to access the user data, hackers usually gain access to a system through vulnerabilities in software. This can be prevented with penetration testing, which will identify those flaws before hackers find them, giving companies time to patch their software.
Security is complicated. A company is risking a data breach if it ignores flaws in its system or puts them on the back burner for later. A penetration test will point out the flaws in servers and applications, which will allow them to be fixed before they become a problem.
A threat risk assessment (TRA) will go deeper than a penetration test to vet policies and procedures. As a generally understood security best practice, outdated cryptography, let alone plain text passwords, should not be used.