Bleeping Computer reports that hackers attacked the online “playground” Animal Jam, created by WildWorks and aimed at children aged 7-11.
Two databases (game_accounts and users) have already been published on the darknet, containing information on approximately 46,000,000 users. It is argued that these databases were obtained by the well-known hack group ShinyHunters, which in the past has repeatedly taken responsibility for large data leaks.
For free, the attackers published only a part of the database containing approximately 7,000,000 user records of children and parents who registered in the game.
Representatives of the WildWorks company said that they, too, found out about the hacking only this morning and now the company is actively investigating the incident. WildWorks CEO Clary Stacey told Bleeping Computer that the attackers appear to have obtained the key from the company’s AWS after the recent compromise of the Slack server.
Although WildWorks was aware of this attack, no one had previously assumed that any data had been stolen during the incident.
As the investigation has now shown, the attackers gained access to the database, which contained:
- 46 million usernames of players that are manually moderated to ensure they do not contain the real names of the children;
- 46,000,000 hashed passwords (SHA1). Although the hackers claim to have cracked 13,000,000 passwords, WildWorks was unable to confirm or deny this information, and did not provide details of how passwords are hashed and salted;
- 7,000,000 email addresses of parents whose children are registered with Animal Jam;
- IP addresses that parents or players used when registering the account. All samples examined by Bleeping Computer contained IP address information;
- 7,000,000 email addresses associated with accounts;
- 116 records (all dated 2010) also included the name and billing address, although they did not contain information about the bank card;
- A small portion of the records may contain information about the date of birth and gender of the child, which the players specified when creating the account. However, for the majority, only the year of birth is indicated.
Although the hackers have compromised quite a few users, Stacy stated that this is only a small fraction of Animal Jam’s overall user base. The fact is that Animal Jam currently has over 130 million registered players and 3.3 million monthly active users monthly.
WildWorks specialists and law enforcement agencies (including the FBI) are already investigating the incident. All affected users began to be notified of the incident by e-mail, and a special section dedicated to the attack and related user questions was launched on the Animal Jam website.
Let me remind you that Minecraft fans downloaded fleeceware from Google Play over 5,000,000 times.
