Animal Jam reveals data breach affecting 46 million user accounts

Online children’s game, Animal Jam has been hit by a severe data breach, impacting 46 million user accounts. Developer of Animal Jam, WildWorks, stated that Animal Jam user data was stolen in connection with a recent attack on the server of a vendor it uses for intra-company communication.

The virtual world game was launched in 2010 and has approximately 130 million user and over 300 million individual avatars. The game’s database contains; email addresses connected to seven million Animal Jam and Animal Jam Classic parent accounts, 32 million player usernames associated with these accounts, encrypted passwords, 14.8 million player birth years, 23.9 million player gender records, 5.7 million precise player birthdates, 12,653 parents’ full names and billing addresses and 16,131 parents’ full names without an associated address.

The threat actor, who has posted data onto a public hacker forum, shared only a partial database containing approximately 7 million user records for children/parents who signed up for the game. WildWorks learned of the attack on 11th November when threat researchers alerted it after spotting some of the data being posted.

WildWorks has said in a statement: “We believe the information stolen was confined to the items already stated. Billing names and addresses were included in 0.02% of the stolen records; otherwise no billing information was stolen, nor information that could potentially identify parents of players.

All Animal Jam usernames are human moderated to ensure they do not include a child’s real name or other personally identifying information.”

Commenting on the attack, Boris Cipot, Senior Security Engineer at Synopsys, said: “The gaming industry is a common target for attacks, be it data theft or ransomware attacks. An interesting observation within the gaming industry is that player accounts are often high-value assets due to in-app purchases, or rewards from leveling up. In other words, gaming accounts are often items for sale – at least accounts owned by adults spending money. However, we now have proof that even educational games for children are no longer safe, but valuable resources for bad actors.”

The firm has assured that no other user data has been accessed at this time and that all user databases have since been secured. As a precaution, all players are being told to change their passwords immediately and are advised to check their data on haveibeenpwned.com as soon as possible. If account holders have created accounts at any other online service using the same password, this should also be changed immediately.

“Never, ever use a password such as ‘password’ or ‘1234567’ because you are asking for trouble,” noted Sam Curry, Chief Security Officer at Cybereason. “You would be surprised how easy some people make it for hackers to be successful. Animal Jam’s customers should also consider using a password manager because they are easy to use and safe. There are many reputable products on the market today and many are offering Free trial offers during the holiday shopping season.”

Security awareness advocates have commended WildWorks for acting proactively and transparently in investigating the incident. However, it has raised questions over how technology has become deeply embedded in daily life to the extent that even children’s games need to be linked to accounts that hold Personally Identifiable Information (PII).

“The main risk we are facing here is that for anyone re-using credentials they may fall victim to credentials spraying where their logins in this system is used against other platforms,” concluded Martin Jartelius, Chief Security Officer at Outpost24. “So, if you know you are re-using credentials, be it that you have an account on this service or not, please prioritise getting unique credentials setup per service.”