- An online playground for kids has had a grave security incident, losing user data in the process.
- The firm didn’t realize the event’s gravity immediately, but now the data appeared on the dark web.
- All passwords have been reset now, but the hackers already had a full month to exploit the records.
The notorious data broker known as “ShinyHunters” has allegedly sold two databases belonging to ‘Animal Jam’ containing the details of 46 million accounts. Those who bought it are now sharing them for free on a dark web forum, so the compromise has reached ultimate levels.
Bleeping Computer reports to have seen samples of the data, and confirmed its validity. Moreover, the data appears to have been stolen on October 12, 2020, based on the timestamps, so actors had a full month to exploit what was in the records.
‘Animal Jam’ is an online virtual playground that targets children between four and eight years of age. Developed and published by ‘WildWorks,’ it is a cross-platform MMO focused around the premise of education through fun.
The game features several limitations to make it safe for the youngsters, like a safe chat function that only allows the kids to pick canned phrases. However, it appears that WildWorks hasn’t done an excellent job in keeping the user data safe from hackers, which is very troublesome in this particular case.
WildWorks CEO Clary Stacey has confirmed that the hackers managed to steal the AWS key after compromising the company’s Slack server. The break-in was dealt with promptly by the IT team, and they found no evidence that any user data had been exfiltrated. However, the data is already freely shared on the dark web, so there’s no doubt about that anymore.
The company ran a deeper investigation into the matter and now confirms that the following stuff was accessed and potentially copied:
- 46 million player usernames, which are human-moderated to make sure they do not contain a child’s proper name.
- 46 million SHA1 hashed passwords. Though there are claims that 13 million passwords have been cracked, WildWorks has not been able to confirm if this true and that passwords are salted and hashed.
- Approximately 7 million email addresses of parents whose children registered for Animal Jam accounts are included.
- IP addresses used by the parent or player when they signed up for an account.
- 7 million email addresses that are associated with accounts.
- 116 of these records (all from 2010) also include the parent’s name and billing address, but no other credit card info.
- A small subset of the records may include the gender and birth date the player entered when creating their account. Of those, most will only have the birth year.
WildWorks has reset all user passwords now, so every player will be requested to set a new one when they get back to the game. While unfortunate, this is still an excellent opportunity to talk to your children about online safety, account security, password strength, and what constitutes exposure avoidance and mitigation practices.