Zynga faces class action suit over massive Words With Friends hack

Zynga – maker of addictive (and crook-tempting) online social games such as FarmVille, Mafia Wars, Café World and Zynga Poker – is facing a potential class action lawsuit over the September 2019 breach in which hackers got access to more than 218 million Words with Friends accounts.

Zynga’s Draw Something was also targeted in the September breach.

The threat actor known as GnosticPlayers went on to claim responsibility for the breach – yet another cache to add to the nearly one billion user records they’d already claimed to have stolen from nearly 45 popular online services earlier in 2019.

Zynga admitted to the breach at the time, saying that hackers got their hands on “certain player account information” but that, at least during the early stages of its investigation, it didn’t think any financial information was accessed.

The game maker didn’t disclose how many accounts were affected, saying only that they’d contact players with affected accounts. Have I Been Pwned confirmed in December 2019 that more than 173 million accounts were hit.

Hacker News, which scrutinized a sample sent over by GnosticPlayers, said that the breached data included names, emails, Login IDs, hashed passwords – “SHA1 with salt”, password reset tokens, Zynga account IDs, and connections to Facebook and other social media services.

We don’t know exactly what “SHA1 with salt” means, but we do know that it isn’t bcrypt, scrypt, PBKDF2 or any other of the recognized password hashing functions you’d hope and expect to have been used.

At any rate, GnosticPlayers also claimed to have drained data from other Zynga-developed games, including Draw Something and the discontinued OMGPOP game, which allegedly exposed clear text passwords for more than seven million users.

The complaint (PDF), which is seeking a jury trial and class status, was filed on Tuesday in the US District Court for California. The plaintiffs’ lawyers say that Zynga allegedly failed “to reasonably safeguard” player information, referring to Zynga’s “substandard password security.”

The failed complaint also maintains that Zynga failed to notify users in a timely manner. It’s charging Zynga with being responsible for the plaintiffs’ personally identifiable information (PII) being…

…accessed, acquired, and stolen for the purpose of of misusing the Plaintiffs’ data and causing further irreparable harm to Plaintiffs’ personal, financial, reputational, and future well-being.

After the theft of Plaintiffs’ PII from Zynga’s platform, it was distributed to and among hacker forums and other identity and financial thieves for the purpose of illegally misusing, reselling, and stealing Plaintiffs’ PII and identity.

Plaintiffs have been damaged as a result, their lawyers said in the complaint.

The suit was brought on behalf of two affected users, one of whom is a parent of an affected user who’s underage, and one of whom had a Zynga account herself.

The Plaintiffs’ lawyers suggest that Zynga “unconscionably” deceived users regarding the safety and protection of their user information. They also maintain that a large number of minor children were implicated in the breach, pointing to a study that estimates that 8% of all mobile gamers are between the ages of 13 and 17.

As the lawyers noted, the Federal Trade Commission (FTC) has said that when children are victims of a data breach, “it might be years before you or your child realizes there’s a problem.”

The lawsuit lists 14 counts of action and claims for relief, ranging from negligence and violation of state data breach statutes to unjust enrichment.

It also claims that while Zynga posted a warning on its website, it has yet to notify users to warn them of the breach, with the class arguing the company “effectively hid the fact that it suffered a data breach” and instead spent the time “shoring up its legal defenses.”

From the complaint:

Only those users who happened to visit Zynga’s website on their own volition, read about the breach in the news, or had signed up to receive email data breach notifications from independent third parties that monitor data breaches were made aware of the breach.

The plaintiffs, along with others affected by the breach, are at risk of fraud, identity theft, and criminal misuse of their personal information “for years to come,” the lawsuit argues.

As of Wednesday afternoon, Zynga hadn’t responded to media requests for comment.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.