Popular mobile games maker Zynga ha been served a class-action lawsuit in the U.S. for suffering a data breach last year that compromised the personal information of more than 200 million users.
Zynga, the American social game developer, suffered a massive data breach in September last year when a Pakistani hacker gained unauthorised access to their database. According to The Hacker News who spoke to the Pakistani hacker, the database owned by Zynga, who also developed the massively-popular mobile game Farmville, contained profile information of over 218 million people who downloaded the Words With Friends app on or before September 2 last year.
Gnosticplayers, the hacker in question, told The Hacker News that the database contained names, email addresses, login IDs, passwords hashed using SHA1 with salt, password reset tokens, phone numbers, Facebook IDs, and Zynga account IDs of millions of users of Words With Friends, wherever such details were provided by users to the app.
The hacker also claimed to have accessed 7 million more user accounts of other Zynga-owned games such as Draw Something and the discontinued OMGPOP game and these online accounts contained clear text passwords for all 7 million users.
Zynga sued for not disclosing the full extent of the data breach
While Zinga said that this data breach only affected ‘certain player account information’, two plaintiffs have filed a class-action lawsuit against the mobile games maker in the district court of California. They accused Zynga of not providing sufficient information about the data breach and the extent of the unauthorised access.
One of the plaintiffs, a minor, was represented by an adult accused Zynga of failure to uphold special duty of care towards many minors who play its games. According to the plaintiff, Zynga failed to take adequate steps to protect players’ data and deceived users regarding the safety of their personal information.
“As a result of Zynga’s negligent, intentional, or unconscionable failure to adequately satisfy its statutory and common-law obligation, plaintiff’s PII was accessed, acquired, and stolen for the purpose of misusing plaintiff’s data and causing further irreparable harm to plaintiffs’ personal, financial, reputational, and future well-being.
“After the theft of plaintiffs’ PII from Zynga’s platform, it was distributed to and among hacker forums and other identity and financial thieves for the purpose of illegally misusing, reselling, and stealing plaintiffs’ PII and identity,” the class action lawsuit read.
Companies must use layered authentication technologies to protect customer data
When the data breach suffered by Zynga came to light, Frederik Mennes, Director Product Security at OneSpan told TEISS that “if this doesn’t highlight the need for security reach beyond the password, then not much else will. We should know by now that using a combination of multiple, layered authentication technologies gives companies, and users, the best chance.
“Banks especially should be upgrading their authentication procedures to more intelligent methods to mitigate the fraud risk in the aftermath of attacks such as this. This technology should combine multiple authentication techniques, whether that’s fingerprints, behavioural biometrics or one-time passwords,” he added.
“What is not so encouraging is seeing a subset of several million users passwords which had been stored in cleartext. In today’s day and age, no company should be storing cleartext passwords. With many users frequently reusing passwords, the breach of this nature can lead to other accounts of individuals being compromised, particularly as the breach also contained email addresses,” said Javvad Malik, security awareness advocate at KnowBe4.