[BreachExchange] Animal Jam was hacked, and data stolen; here’s what parents need to know
Destry Winant
destry at riskbasedsecurity.com
Wed Nov 18 10:56:15 EST 2020
https://techcrunch.com/2020/11/16/animal-jam-data-breach/
WildWorks, the gaming company that makes the popular kids game Animal
Jam, has confirmed a data breach.
Animal Jam is one of the most popular games for kids, ranking in the
top five games in the 9-11 age category in Apple’s App Store in the
U.S., according to data provided by App Annie. But while no data
breach is ever good news, WildWorks has been more forthcoming about
the incident than most companies would be, making it easier for
parents to protect both their information and their kids’ data.
Here’s what we know.
WildWorks said in a detailed statement that a hacker stole 46 million
Animal Jam records in early October but that it only learned of the
breach in November.
The company said someone broke into one of its systems that the
company uses for employees to communicate with each other, and
accessed a secret key that allowed the hacker to break into the
company’s user database. The bad news is that the stolen data is known
to be circulating on at least one cybercrime forum, WildWorks said,
meaning that malicious hackers may use (or be using) the stolen
information.
The stolen data dates back to over the past 10 years, the company
said, so former users may still be affected.
Much of the stolen data wasn’t highly sensitive, but the company
warned that 32 million of those stolen records had the player’s
username, 23.9 million records had the player’s gender, 14.8 million
records contained the player’s birth year and 5.7 million records had
the player’s full date of birth.
But, the company did say that the hacker also took 7 million parent
email addresses used to manage their kids’ accounts. It also said that
12,653 parent accounts had a parent’s full name and billing address,
and 16,131 parent accounts had a parent’s name but no billing address.
Besides the billing address, the company said no other billing data —
such as financial information — was stolen.
WildWorks also said that the hacker stole players’ passwords,
prompting the company to reset every player’s password. (If you can’t
log in, that’s probably why. Check your email for a link to reset your
password.) WildWorks didn’t say how it scrambled passwords, which
leaves open the possibility that they could be unscrambled and
potentially used to break into other accounts that have the same
password as used on Animal Jam. That’s why it’s so important to use
unique passwords for each site or service you use, and use a password
manager to store your passwords safely.
The company said it was sharing information about the breach with the
FBI and other law enforcement agencies.
So what can parents do?
Troy Hunt, a security researcher and owner of Have I Been Pwned, a
website that helps you find out if you’re a victim of a data breach,
has already obtained a copy of the stolen data. That means anyone can
go to Have I Been Pwned and check to see if they are a victim of the
Animal Jam breach.
Thankfully the data associated with kids accounts is limited. But
parents, if you have used your Animal Jam password on any other
website, make sure you change those passwords to strong and unique
passwords so that nobody can break into those other accounts.
If you need help safely and securely storing or generating strong
passwords, use a password manager.
Keep an eye out for scams related to the breach. Malicious hackers
like to jump on recent news and events to try to trick victims into
turning over more information or money in response to a breach.
More information about the BreachExchange
mailing list