[BreachExchange] Zynga faces class action suit over massive Words With Friends hack

Thu Mar 5 10:09:50 EST 2020

https://nakedsecurity.sophos.com/2020/03/05/zynga-fac

Zynga – maker of addictive (and crook-tempting) online social games
such as FarmVille, Mafia Wars, Café World and Zynga Poker – is facing
a potential class action lawsuit over the September 2019 breach in
which hackers got access to more than 218 million Words with Friends
accounts.

Zynga’s Draw Something was also targeted in the September breach.

The threat actor known as GnosticPlayers went on to claim
responsibility for the breach – yet another cache to add to the nearly
one billion user records they’d already claimed to have stolen from
nearly 45 popular online services earlier in 2019.

Zynga admitted to the breach at the time, saying that hackers got
their hands on “certain player account information” but that, at least
during the early stages of its investigation, it didn’t think any
financial information was accessed.

The game maker didn’t disclose how many accounts were affected, saying
only that they’d contact players with affected accounts. Have I Been
Pwned confirmed in December 2019 that more than 173 million accounts
were hit.

Hacker News, which scrutinized a sample sent over by GnosticPlayers,
said that the breached data included names, emails, Login IDs, hashed
passwords – “SHA1 with salt”, password reset tokens, Zynga account
IDs, and connections to Facebook and other social media services.

We don’t know exactly what “SHA1 with salt” means, but we do know that
it isn’t bcrypt, scrypt, PBKDF2 or any other of the recognized
password hashing function you’d hope and expect to have been used.

At any rate, GnosticPlayers also claimed to have drained data from
other Zynga-developed games, including Draw Something and the
discontinued OMGPOP game, which allegedly exposed clear text passwords
for more than seven million users.

The complaint (PDF), which is seeking a jury trial and class status,
was filed on Tuesday in the US District Court for California. The
plaintiffs’ lawyers say that Zynga allegedly failed “to reasonably
safeguard” player information, referring to Zynga’s “substandard
password security.”

The failed complaint also maintains that Zynga failed to notify users
in a timely manner. It’s charging Zynga with being responsible for the
plaintiffs’ personally identifiable information (PII) being…

…accessed, acquired, and stolen for the purpose of of misusing the
Plaintiffs’ data and causing further irreparable harm to Plaintiffs’
personal, financial, reputational, and future well-being.

After the theft of Plaintiffs’ PII from Zynga’s platform, it was
distributed to and among hacker forums and other identity and
financial thieves for the purpose of illegally misusing, reselling,
and stealing Plaintiffs’ PII and identity.

Plaintiffs have been damaged as a result, their lawyers said in the complaint.

The world's best visibility, protection, and response.
Start Online Demo

The suit was brought on behalf of two affected users, one of whom is a
parent of an affected user who’s underage, and one of whom had a Zynga
account herself.

The Plaintiffs’ lawyers suggest that Zynga “unconscionably” deceived
users regarding the safety and protection of their user information.
They also maintain that a large number of minor children were
implicated in the breach, pointing to a study that estimates that 8%
of all mobile gamers are between the ages of 13 and 17.

As the lawyers noted, the Federal Trade Commission (FTC) has said that
when children are victims of a data breach, “it might be years before
you or your child realizes there’s a problem.”

The lawsuit lists 14 counts of action and claims for relief, ranging
from negligence and violation of state data breach statutes to unjust
enrichment.

It also claims that while Zynga posted a warning on its website, it
has yet to notify users to warn them of the breach, with the class
arguing the company “effectively hid the fact that it suffered a data
breach” and instead spent the time “shoring up its legal defenses.”

>From the complaint:

Only those users who happened to visit Zynga’s website on their own
volition, read about the breach in the news, or had signed up to
receive email data breach notifications from independent third parties
that monitor data breaches were made aware of the breach.

The plaintiffs, along with others affected by the breach, are at risk
of fraud, identity theft, and criminal misuse of their personal
information “for years to come,” the lawsuit argues.

As of Wednesday afternoon, Zynga hadn’t responded to media requests for comment.