3 min read

Hackers Steal 46 Million Animal Jam Account Records, Dating Back 10 Years

Graham CLULEY

November 18, 2020

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Hackers Steal 46 Million Animal Jam Account Records, Dating Back 10 Years
  • Hackers circulate database containing millions of players’ details
  • Wildly-popular online game impresses with its response to data breach

Don’t worry if you haven’t heard of Animal Jam.It’s not a game that’s aimed at you – it’s target audience are kids between 7-12 years old.

With more than 300 million registered players, Animal Jam is a wildly popular online game which sees kids adopt their favourite animal guises and explore a brightly-coloured world.

Animal Jam likes to present itself as “safe and fun,” but this week we have learnt that that doesn’t mean it can’t ever suffer a security breach.

WildWorks, the developer of Animal Jam, has confirmed that early last month a hacker broke into its systems and stole 46 million Animal Jam records.

According to the alert posted on the Animal Jam website, the database containing the records was stolen following an attack that saw a hacker break into a third-party communications tool used by WildWorks employees, and steal an access key.

Last week the Animal Jam team became aware that stolen data had been posted on an underground hacking forum.

According to WildWorks, the database circulated by the hackers contains approximately 46 million Animal Jam records, made up as follows:

  • Email addresses used to create approximately 7 million Animal Jam and Animal Jam Classic parent accounts
  • Approximately 32 million player usernames associated with these parent accounts
  • Passwords associated with those user accounts, but in encrypted form
  • 14.8M records include the birth year the player entered at account creation
  • 23.9M records include the gender the player entered at account creation
  • 5.7M accounts include the full birthday the player entered at account registration
  • 12,653 of the parent accounts include a parent”s full name and billing address (but no other billing info)
  • 16,131 of the parent accounts include a parent”s first and last name, without a billing address

Animal Jam may be designed for children, but the information it has shared about the security breach is refreshingly mature.

Not only is WildWorks unafraid to share information about just how many records were exposed by the data breach, but it also puts parents’ minds at rest that their children’s personal details have not been put in peril. Furthermore, virtually no information related to billing was exposed, and even then no payment card details.

“We believe the information stolen was confined to the items listed above. No real names of children were part of this breach. Billing name and billing address were included in 0.02% of the stolen records; otherwise no billing information was stolen, nor information that could potentially identify parents of players. All Animal Jam usernames are human moderated to ensure they do not include a child”s real name or other personally identifying information.”

No-one likes any kind of data breach, but there is some comfort to be found here – especially as it’s young kids who play Animal Jam.

This silver lining on the cloud is made possible because of how Animal Jam was designed in the first place. WildWorks knew there was some information that it didn’t want to store about its young players, and so it put processes in place to ensure that it wasn’t collected in the first place.

There have been plenty of other hacked companies who could learn a lesson from the way Animal Jam is handling its unfortunate hack.

As a precaution, all Animal Jam players are being forced to change their passwords, and are being urged to choose hard-to-crack passwords that will not be easy to guess. I would add to that that you should also ensure you are not using the same password anywhere else on the internet.

WildWorks says it is sharing information about the data breach with law enforcement agencies, and will work closely with the authorities to identify and prosecute those responsible.

tags


Author


Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like

Bookmarks


loader