Tens of millions of users have been affected by a data breach at the developer of popular online playground Animal Jam.
Utah-based developer WildWorks describes Animal Jam as a virtual world in which children aged four to eight can play online games with other kids.
However, in a detailed alert yesterday, it revealed that around 46 million account records had been stolen by hackers that accessed a database last month, including millions of email addresses used by parents to register their kids.
It appears as if the hackers first accessed a server used for intra-staff communications, where they obtained a key to unlock access to the user data.
“It was not apparent at the time that a database of account names was accessed as a result of the break-in, and all relevant systems were altered and secured against further intrusion. The database theft most likely occurred in the same October 10-12 2020 time window,” said WildWorks.
“WildWorks learned of the database theft today, November 11 2020, when security researchers monitoring a public hacker forum saw the data posted there and alerted us.”
Among the stolen information was seven million email addresses used to create parent accounts for Animal Jam users. A small number (12,653) of these accounts included parents’ full names and billing address and a further 16,131 included full names but no addresses.
Fortunately, the seven million passwords stolen were encrypted, although it’s not clear how strong the algorithm was and whether they were salted.
“The passwords released in this breach were encrypted and unreadable by normal means,” the breach notice read. “However, if your account was secured with a weak password to begin with (for example, a very short password, or one using dictionary words), it would be possible for knowledgeable hackers to break the encryption and expose your password as plain text.”
Some 32 million player usernames associated with these parent accounts were also taken, although this is less serious than it looks, as WildWorks confirmed that they are all “human moderated to ensure they do not include a child’s real name or other personally identifying information.”
The developer is forcing a password reset as a precaution.