Passwords with Friends: Zynga, Inc target of cyberattack

On 1 October 2019, social media game developer Zygna Inc. disclosed that a Pakistani serial hacker breached the company’s popular Words with Friends game. The hacker gained access to 218 million users. Zynga is the developer of some of the best-known social media games, such as Farmville.

While the attack originated with Words with Friends, the hacker is also said to be in possession of data from other Zynga developed games, including Draw Something and OMGPOP.

The notice to Zynga users reported that once the data breach had been discovered, a third-party digital forensic investigator was hired, and that law enforcement had had been notified. Although these are great steps, they do little to protect users’ data after the fact.

The hacker claims that the breach affected all Android and iOS players who signed up for the game before 2 September 2019, and includes users’ names, email addresses, login details, phone numbers (if provided), and Facebook ID.

In previous attacks in February, the hacker responsible claimed to steal almost a billion user records from 45 popular online services and offered a database of 617 million stolen user records for $20 000.

Are cyberattacks part of doing business?

In a statement, Zynga claimed that “cyber-attacks are one of the unfortunate realities of doing business today.” However, the hacker reported that Zynga’s data was protected by encryption that has long been viewed as ill-suited for protecting passwords. This fact contrasts with Zynga’s statement that “the security of our player data is extremely important to us.”

What you can do to protect yourself

In the wake of this data breach, affected users will be prompted to change their passwords upon their next login to Draw Something or Words with Friends. Users should also take immediate action to secure their phones as well as their social media accounts.

Users should change their passwords to something unique that doesn’t contain easily identifiable information such as birthdays, nicknames, pets, or quotations. In addition, users should consider using two-factor authentication for their accounts.

Lastly, users should remember that on average, organizations learn they have fallen prey to a cyberattack 184 days after the attack has occurred and be proactive about protecting their data.