A class-action lawsuit has been filed against gaming company Zynga Inc. over a data breach that exposed the personal information of 173 million users.
The casual-gaming giant, which made its name with Farmville, warned mobile players of Words With Friends and Draw Something to update their passwords after the breach occurred in September 2019.
That month, Pakistani hacker Gnosticplayers claimed to have breached Zynga’s user database and accessed 218 million user accounts.
A player security announcement made by Zynga on September 12 in the wake of the breach dispassionately touted cyber-attacks as "one of the unfortunate realities of doing business today."
The company took a fairly coy line on what information had been accessed in the attack, admitting only that "certain player account information may have been illegally accessed by outside hackers."
Players were assured by Zynga at the time the attack was publicized that their financial information had not been compromised.
Now two plaintiffs have filed a class-action lawsuit against Zynga in the district court of California and accused the company of "failure to reasonably safeguard" players' personal information.
Personal data specifically mentioned by the plaintiffs in the suit includes usernames, email addresses, login IDs, password reset tokens, Facebook IDs, Zynga account IDs, and passwords stored with outdated cryptography.
The plaintiffs, one of whom is a minor represented by an adult, allege in particular that Zynga failed to uphold the special duty of care it owes the many minors who play its games.
According to the complaint, Zynga didn't just neglect to take adequate steps to protect players' data. Plaintiffs also allege the gaming company acted deliberately to "intentionally and unconscionably" deceive users regarding the safety of their personal information.
Furthermore, the lawsuit accuses Zynga of unjust enrichment and criticizes the company for allegedly failing to notify users of the breach in a timely manner. The plaintiffs claim that Zynga never officially notified users of the breach via email, but merely posted statements regarding the breach online.
In total, the lawsuit lists 14 separate counts of action and claims for relief, ranging from the violation of state data breach statutes to negligence.
Damningly, the suit says the company seems to be “far more concerned with protecting itself than with safeguarding the valuable and confidential information of its users.”