The company behind the wildly popular kids’ game Animal Jam has announced that hackers stole a menagerie of account records during a breach of a third-party vendor’s server in October — more than 46 million of them, in fact.
The company, WildWorks, said that it was unaware that the data had been compromised, until 7 million records turned up on an underground forum used by malicious actors to distribute lifted data, on Nov. 11.
First released in 2010, the game is geared for 7- to 11-year-olds and marketed to parents as a safe and educational virtual space to explore the natural world. The game is free to play and provides a virtual experience where kids can design their own animal avatars, learn facts about nature, chat with other players and engage in mini-competitions for in-game prizes. More than 300 million Animal Jam avatars have been created to date, and there are players across 225 countries, the company reported.
The Animal Jam Compromise
Hackers were able to obtain a key to a server database maintained by a third-party vendor that WildWorks uses for intra-company communication, according to the company. It did not name the vendor.
“We believe our vendor’s server was compromised some time between Oct. 10 and 12,” the company said in a statement announcing the breach. “It was not apparent at the time that a database of account names was accessed as a result of the break-in, and all relevant systems were altered and secured against further intrusion. WildWorks learned of the database theft…Nov. 11, 2020, when security researchers monitoring a public hacker forum saw the data posted there and alerted us.”
In keeping with its safety- and privacy-conscious brand, WildWorks has taken a decidedly transparent approach with its users in the wake of the breach, launching an FAQ site detailing precisely what was stolen, directing users to update their passwords and offering assistance to affected customers.
— WildWorks (@playwildworks) November 12, 2020
According to its own reporting, the company said that cybercriminals were able to steal 7 million parent account email addresses, and 32 million usernames associated with the parent accounts, containing encrypted passwords, players’ birthdays and gender, and more.
“No real names of children were part of this breach,” the company’s site explained. “Billing name and billing address were included in 0.02 percent of the stolen records; otherwise no billing information was stolen, nor information that could potentially identify parents of players. All Animal Jam usernames are human-moderated to ensure they do not include a child’s real name or other personally identifying information.”
Regardless of the perceived exposure, Boris Cipot, senior sales engineer with Synopsys warned users to update their passwords immediately.
“One way the cybercriminals may abuse this data is to carry out a phishing attack,” Cipot said via email. “Therefore, users, or their parents, need to watch out for any emails asking for personal information. It is important that the account password is changed immediately as well to avoid an account takeover. Passwords should also be changed across any other service where it might have been reused. The attackers might cross-reference your account information on other services in order to find other exploitable services. ”
Javvad Malik, security awareness advocate at KnowBe4, meanwhile noted in a statement provided to Threatpost that parents and the broader industry should take a closer look at security risks associated with kids games and toys, once considered low-stakes in terms of threat exposure.
Keeping Connected Toys and Games Safe
“It raises the question as to how deeply embedded technology has become in all aspects of our lives, where even children’s toys and games need accounts to be setup which potentially can hold sensitive information — and make an attractive target to attackers,” Malik said by email.
He suggested that a closer partnership between manufacturing and technology could help mitigate risks to kids and their data.
“Not just in products, but create [to] a culture of security that pushes good security practices to the forefront,” Malik added. “While no one approach will be able to prevent all breaches, it’s important that data isn’t collected unless necessary, and the data that is collected, is done for legitimate purposes and secured properly.”
Gaming, Under Fire From Cybercriminals
The gaming industry overall has become an increasingly attractive target for attacks. In late October the game “Among Us” was hacked and rendered nearly unplayable for many, by what appeared to be a single malicious actor who got a thrill out of ruining the game for others.
Just a week earlier, a ransomware gang claimed to have accessed the source code for Watch Dogs: Legion, ahead of its release. And, another title called Albion was similarly compromised and game databases released on underground forums.
The Ragnar Locker ransomware gang was able to gain access to 1 terabyte of sensitive data on the network of gaming giant Capcom, the company behind titles including Resident Evil, Street Fighter and others.
And just this week, popular kids’ games Minecraft and Roblox uncovered a scam to rip off unsuspecting players’ Google Play accounts.
Cipot added that gaming breaches like these are continuing to gain value among scammers.
“The gaming industry is a common target for attacks, be it data theft or ransomware attacks,” he said. “An interesting observation within the gaming industry is that player accounts are often high-value assets due to in-app purchases, or rewards from leveling up. In other words, gaming accounts are often seen as items for sale — at least accounts owned by adults spending money. However, we now have proof that even educational games for children are no longer safe, and are valuable resources for bad actors.”
While WildWorks grapples with the fallout from the compromise, Malik added that its communications strategy should be a model for other companies.
“It’s reassuring to see Animal Jam take a proactive stance in investigating the breach and being transparent in their approach,” he said.
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.