Pierluigi Paganini November 12, 2020

The popular children’s online playground Animal Jam has suffered a data breach that affected more than 46 million accounts.

Animal Jam is a safe, award-winning online playground for kids created by WildWorks.

Kids aging 7 through 11 can play games, personalize their favorite animal, learn fun facts, and so much more. Animal Jam currently has over 130 million registered players and 3.3 million monthly active users.

Animal Jam has suffered a data breach impacting 46 million accounts belonging to children and parents who signed up for the game. 

This week a threat actor published two databases, titled ‘game_accounts’ and ‘users’, belonging to the popular gaming portal for free on a hacker forum. The huge trove of data was obtained by the black hat hacker ShinyHunters, which is known for several data leaks.

The threat actor did not share the complete databases, it only leaked a dump containing 7 million user records. The exposed data includes the email addresses of the parents managing the player accounts and other info.

According to Bleeping Computer, which analyzed the sample records, the database was stolen around October 12th, 2020 based on the timestamps in the dump.

WildWorks immediately launched an investigation into the security breach, company, it appears that threat actors compromised the server of a third-party vendor WildWorks uses for intra-company communication. The attackers obtained a key that enabled them to access this database.

“WildWorks has learned that a database containing some Animal Jam user data was stolen in connection with a recent attack on the server of a vendor WildWorks uses for intra-company communication. A subset of the stolen records include the email addresses of the parents managing the player accounts and other data that could be used to identify the parents of Animal Jam players.” reads the data breach notification published by the company.

The information exposed in the data breach includes:

• Email addresses used to create approximately 7 million Animal Jam and Animal Jam Classic parent accounts
• Approximately 32 million player usernames associated with these parent accounts
• Passwords associated with those user accounts, but in encrypted form
• 14.8M records include the birth year the player entered at account creation
• 23.9M records include the gender the player entered at account creation
• 5.7M accounts include the full birthday the player entered at account registration
• 12,653 of the parent accounts include a parent’s full name and billing address (but no other billing info)
• 16,131 of the parent accounts include a parent’s first and last name, without a billing address

The company is going to notify impacted users, it pointed out that all user databases have now been secured against similar attacks.

WildWorks is recommending owners of Animal Jam accounts to immediately change their password.

“The passwords released in this breach were encrypted and unreadable by normal means. However, if your account was secured with a weak password to begin with (for example, a very short password, or one using dictionary words), it would be possible for knowledgable hackers to break the encryption and expose your password as plain text.” concludes the company. “As a precaution, we are forcing ALL players to change their passwords immediately to ensure the security of their accounts.”

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]