Massive Words with Friends hack exposes 218 million account login details

A hacker has claimed responsibility for a massive breach of the popular mobile game Words With Friends, saying more than 218 million account logins and associated data have been stolen. The hacker, known as Gnosticplayers, told The Hacker News the data comes from Android and iOS versions of the game, and includes everything from names and email addresses, to hashed passwords, phone numbers, and Facebook identification.

Words With Friends developer Zynga released a statement on September 12 regarding a cyberattack, but did not go into the extent of the hack or the numbers involved. It set about reassuring players that it did not believe any financial information had been accessed, but that account login information had. Zynga said it had, “taken steps to protect these users accounts from invalid logins,” and that following further investigation players would be notified of any concerns.

The potential severity of the hack has only become clear after Gnosticplayers spoke to The Hacker News. Sample data shared with the site included names, email addresses, login IDs, hashed passwords, password reset tokens, phone numbers, Facebook identification, and Zynga account details. In addition to the Words With Friends hack, Gnosticplayers claimed responsibility for hacking seven million other clear text passwords for accounts from Zynga’s Draw Something and the OMGPOP game, which is no longer available.

The breach concerns account holders that have logged into Zynga’s games up to and including September 2, 2019. Even more concerning than the hack itself, is where the 218 million or more account details may end up. Gnosticplayers has successfully hacked dozens of other websites during 2019, varying from MyFitnessPal to CoffeeMeetsBagel, and has gone on to sell the account details through the dark web. It’s entirely possible the same thing will happen with the data from the latest hack.

If you play Words With Friends, what is the next step? As with all hacks, the best thing to do is change your password immediately, and also change it on any other sites or services where it was reused. If the service is offered, it’s always advisable to switch on two-step verification, which adds an additional layer of security to some accounts. Be extra vigilant when receiving unexpected emails that claim to be from sites you use requesting details or password changes too.

Zynga has launched an investigation, is working with forensic teams, and has contacted law enforcement about the hack.

Editors' Recommendations