Mobile game developer Zynga could face a class-action lawsuit stemming from a massive data breach last September, which impacted 218 million users of the Words with Friends mobile app.
The news comes as other big names face security incidents: T-Mobile and Carnival Cruise Lines have admitted this week that they were hit with data breaches, and J. Crew said that it suffered a credential-stuffing attack.
The Zynga complaint (PDF – hat-tip to Sophos Security) was filed on behalf of a minor and his parent, in the U.S. District Court for California. It seeks class status and at least $5 million in damages. It accuses the game developer of negligence and a failure to safeguard victims’ personally identifiable information (PII), thanks to “substandard password security.” And because the information was stolen and sold on the Dark Web, the complaint continues, the incident could lead to “further irreparable harm to the plaintiffs’ personal, financial, reputational and future well-being.”
The complaint also points out that many of the victims are likely minors (extrapolating from the overall Words with Friends user footprint, the lawyers in the case peg the number at 14 million kids at least impacted in the breach).
The allegations also include the claim that Zynga failed to notify users directly, in violation of California law, and only posted a warning on its website. Zynga did not immediately return a request for comment from Threatpost.
What’s known is that the hacker known as GnosticPlayers managed to lift a whole trove of account information from the service in September. According to a third-party analysis, that data included names, emails, user IDs, salted passwords, password reset tokens, Zynga account IDs, and connections to Facebook and other social media services. Zynga at the time said that no financial data was taken.
The records were added to the nearly one billion user records that the hacker had already pilfered over the course of 2019. Last January and February alone GnosticPlayers was responsible for more than 840 million account records appearing for sale on the Dark Web “DreamMarket” site (in dumps collectively known as Collections 1-3). He built on that trove over the course of the year, and in all, at least 45 popular online services were hit by GnosticPlayers activity last year.
Email Woes for T-Mobile and Carnival Cruise Lines
Words with Friends isn’t the only brand name in the security headlines this week. T-Mobile USA has sent letters to customers, warning them of a “sophisticated attack” that could have impacted users’ account information. It’s unclear how many subscribers have been affected. Threatpost has reached out for further information.
The attack was against the mobile carrier’s email vendor, it said, which led to “unauthorized access to certain T-Mobile employee email accounts.” Those accounts contained emails with account info for T-Mobile customers and employees, including customer names and addresses, phone numbers, account numbers, rate plans and features and billing information. Luckily, financial and card data, and Social Security numbers, were not impacted.
“This particular breach will, unfortunately, have consequences reaching beyond T-Mobile or its customers’ T-Mobile accounts,” Geoff Huang, vice president of product at Sift, said via email. “Customers who had their financial data exposed are likely to become targets for identity theft, but there’s also another, less obvious, ripple effect: Cybercriminals can use that data to perform account takeover (ATO) attacks on other websites and platforms. This also has serious repercussions for the sites that will be held responsible for refunding fraudulent purchases as well as the associated chargeback fees from payment providers.”
Meanwhile, Carnival Cruise Lines disclosed a breach this week that occurred in a very similar way. It said that between April 11 and July 23, 2019, “an unsanctioned third party gained unauthorized access to some employee email accounts that contained personal information regarding our guests.”
The unauthorized activity was first discovered in May, according to a notification letter filed with the State of California. Threat actors were able to access names, addresses, Social Security numbers, passport numbers or driver’s license numbers, credit-card and financial account information, and health-related information. No information was given as to how many guests were impacted or why the cruise line waited so long to notify victims. Threatpost has reached out.
“With 325,000 people sailing aboard Carnival ships every day, it is a party that hackers do not want to miss,” Robert Capps, vice president of market innovation for NuData Security, said via email. “Although there is no evidence that the compromised information has been used for fraud, it is important that companies are ready to prevent this potential misuse of the stolen information.”
Credential-Stuffing and J. Crew
As Sift’s Huang mentioned, incidents like these put customers at risk for ATO attacks. These tend to be done via credential-stuffing, which is an attack where previously leaked lists of usernames and passwords are used to gain unauthorized access to systems. This appears to be what happened to J. Crew.
The retailer this week disclosed an ATO attack on users of its jcrew.com website to the State of California: “We believe your email address (used as your jcrew.com username) and password were obtained by an unauthorized party and in or around April 2019 used to log into your jcrew.com account,” it said in a notification letter filed with the state.
The clothier also said that the breach resulted in the exposure of the last four digits of credit-card numbers, expiration dates, card types and billing addresses, and order numbers, shipping confirmation numbers and the shipment status of those orders – all of which could be used to craft convincing phishing and fraud campaigns.
“For users, there is nothing good about the credential stuffing attack at J. Crew, but there are some useful lessons to be learned,” said Jonathan Knudsen, senior security strategist at Synopsys, via email. “The best course of action is to practice good password hygiene. Don’t re-use the same password across multiple sites, and make sure you are using strong password that cannot be easily guessed. If your J. Crew password is also in use elsewhere, be certain you update your passwords to avoid future issues with this or other accounts.”
There’s no word on why the company waited nearly a year to disclose the breach, or when it discovered the illicit activity. Threatpost has reached out for more information.
“J. Crew did not make a public announcement about the attack until nearly a year later,” Knudsen said. “What other attacks, involving your personal information, might have already occurred without your knowledge? Again, the best protection is good password hygiene. For especially valuable accounts, consider upping the bar with two-factor authentication.”
Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.