Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/30/2019
11:00 AM
50%
50%

218M Words with Friends Players Compromised in Data Breach

The same attacker was reportedly behind the Collection #1 and Collection #2 data dumps earlier this year.

A cybercriminal operating under the alias Gnosticplayers has broken into the Words with Friends database and gained access to 218 million player records, The Hacker News reports.

The popular puzzle game is owned by Zynga, one of the biggest names in the social gaming market with other well-known offerings, including FarmVille, Mafia Wars, and Zynga Poker. Zynga issued a disclosure on September 12 to say some player data may have been obtained by unauthorized parties; now, a new report sheds light on the extent of the security incident.

Gnosticplayers, the same cybercriminal also reportedly behind the Collection #1 and Collection #2 data dumps earlier this year, told The Hacker News he was able to breach a Words with Friends database containing more than 218 million user records. The incident affects players using iOS and Android devices who installed and registered for the game on or before September 2.

A sample of the stolen data revealed the range of user data exposed: names, email addresses, login IDs, hashed and salted passwords, requested password reset tokens, provided phone numbers, Facebook ID if the user had connected, and Zynga account ID, the report states.

The attacker also claims to have accessed information belonging to 7 million players of the also-popular Draw Something game, as well as a game called OMGPOP that is discontinued, The Hacker News found. Exposed data included plaintext passwords.

Read more details here.

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Etiquette of Respecting Privacy in the Age of IoT."

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
OAuth, OpenID Flaw: 7 Facts
Mathew J. Schwartz 5/8/2014
Quick Hits
Study: Many UK Retail, Financial Firms Still Don't Understand Security Risks
Tim Wilson, Editor in Chief, Dark Reading 5/8/2014
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Your new device is too complex. Me stick with iWheel.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21312
PUBLISHED: 2021-03-03
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability within the document upload function (Home > Management > Documents > Add, or /front/documen...
CVE-2021-21313
PUBLISHED: 2021-03-03
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability in the /ajax/common.tabs.php endpoint, indeed, at least two parameters _target and id are not proper...
CVE-2021-21314
PUBLISHED: 2021-03-03
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is an XSS vulnerability involving a logged in user while updating a ticket.
CVE-2021-27931
PUBLISHED: 2021-03-03
LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service.
CVE-2021-27935
PUBLISHED: 2021-03-03
An issue was discovered in AdGuard before 0.105.2. An attacker able to get the user's cookie is able to bruteforce their password offline, because the hash of the password is stored in the cookie.