The developer of famous online playground Animal Jam has suffered a data breach exposing tens of millions of users’ data, especially children.
Animal Jam is an online playground for children developed by the Utah-based WildWorks. It is targeted towards children between 7 and 11 years of age and boasts over 300 million animal avatars created by kids.
The virtual playground receives registration from a new user every 1.4 seconds. It has 3.3 million monthly active members and over 130 million registered players.
Now, Animal Jam has suffered a data breach in which millions of user accounts have been leaked. A threat actor has already leaked the stolen database on a hacker forum, stating that they got them from well-known hacker ShinyHunters.
The databases contain around 50 million stolen records of the Animal Jam users. The threat actor has shared a partial database, which shows approx. 7 million records of children or their parents. An analysis of the timestamps on these records reveals that the database was stolen and dumped last month.
Here’s what the hacker had to say about the partial database leak:
WildWorks, on the other hand, has acknowledged the breach and shared information about the breach. Its CEO Clary Stacey stated that the threat actors compromise Wild Works’ Slack server to obtain the AWS keys. The company quickly addressed the data breach as soon as it occurred. However, they were unaware of the fact that some data was stolen.
Further investigation revealed that the 50 million player usernames were stolen, which were human moderated to hide the child’s full name, and 50 million SHA1 hashed passwords. The threat actors claim that they have cracked 13 million passwords, but WildWorks didn’t confirm whether it is true and stated that the passwords were salted and hashed.
The stolen data includes 7 million email addresses of parents of children who registered for Animal Jam and their IP addresses. Around 116 of these records contained the name and billing address of the parents who registered in 2010 or beyond.
Some records also include the player’s birthdate and gender, but most just contain the birth year. However, credit card information wasn’t included in the database.
Despite that it is a massive data breach, Stacey claims that it is a comparatively small subset of the number of Animal Jam user accounts registered since 2010.
It is however recommended that users of Animal Jam must reset their password the next time they logon.
WildWorks is preparing a report of the incident to share with the FBI Cyber Task Force and notifying all impacted email IDs. Moreover, they have created a Data Breach Alert on their website to answer user queries related to the data breach.
As for ShinyHunters; Animal Jam breach is another addition to their “portfolio.” In the last few months, the hacker leaked dozens of databases stolen from prominent companies including:
WattPad – 271 million accounts leaked
Dunzo – 11GB worth of data leaked
Dave.com – 7 million accounts leaked
Bhinneka – 1 million+ accounts leaked
Minted – 5 million accounts leaked
ProctorU – 444,267 accounts leaked
Tokopedia – 91 million accounts leaked
Couchsurfing – 17 million accounts leaked
Mashable – 5.22GB worth of database leaked