Animal Jam data breach: 100,000 de-hashed user records leaked, 900,000 more sold on hacker forum

UPDATE (12-11-2020): According to WildWorks CEO Clark Stacey, the company "forced a password change on all Animal Jam accounts, notified users by email, and published [an] FAQ" about the breach immediately after its discovery. Stacey adds that "the decrypted passwords [...] - if real - would not have been able to compromise Animal Jam accounts by the time they appeared."

A database containing 900,000 user records from the free-to-play game Animal Jam is being sold on hacker forums, with another 100,000 records leaked as a proof-of-concept sample.

Animal Jam is a free-to-play pet simulator developed by WildWorks, a US-based game development studio. The game is available on iOS, Android, PC, and Mac, and has over 130 million registered accounts across all supported platforms. 

Recently, the game suffered a data breach where a database containing more than 50 million stolen player records, including email addresses and hashed passwords, has been leaked on a hacker forum.

It seems that it took about a week for a second hacker to de-hash about a million passwords from the previous database and put the plain-text data for sale on another hacker forum: the user records stored in the file that was posted on the hacker forum on November 17 include the players’ email addresses and passwords in plain text.

To see if your email address has been exposed in this or other security breaches, use our personal data leak checker.

What was leaked?

The file posted on the hacker forum contains what appears to be 100,000 Animal Jam user records, including email addresses and presumably de-hashed passwords stored in plain text. 

Example of leaked user records:

Such combinations of decrypted user credentials are also known as combo-lists, giving attackers ready-made, machine-readable strings. Combo-lists are typically used as input for automated authentication requests in various malicious activities, such as credential stuffing attacks.

What’s the impact of the leak?

Fortunately, the data found in the leaked file does not contain deeply sensitive information like document scans or credit card numbers. However, it can still be used against Animal Jam players in a variety of ways, such as:

• Carrying out credential stuffing attacks in order to hack players’ accounts in other games 
• Holding players’ Animal Jam accounts ransom
• Spamming the victims’ email inboxes with malicious emails

Animal Jam is a free-to-play game that is targeted towards children and incorporates microtransactions. This means that selling stolen game accounts with unlocked premium features and cosmetics back to the affected players or their parents could net malicious actors a lot of money.

What to do if you have been affected?

If you (or your child) have an Animal Jam account and your data has been leaked on this hacker forum, we recommend you:  

• Change your Animal Jam and email passwords immediately and consider using a password manager to create long, complex passwords
• If you have been using an identical password for any other games or online services, change it there as well.
• Watch out for potential phishing emails. Do not click on anything suspicious or respond to anyone you don’t know.
• Enable two-factor authentication (2FA) on all your online accounts.

De-hashing: The danger of using weak passwords

Judging from the Animal Jam combo-list sample posted on the hacker forum, the vast majority of the de-hashed passwords were weak and contained commonly used words and word-number combinations. While hashing is similar to encryption in that it scrambles input data into semi-randomized output data, there’s a significant difference: hashing is a one-way process.

Competent threat actors are able to de-hash weak passwords by taking acquired lists of password hashes and comparing them with hashes of known weak hash combinations. This is because of the difference between hashing and encryption: identical combinations of symbols will have the same hash value. This means that if a certain commonly used password has been de-hashed once, every other identical password can be de-hashed using the same value.

In fact, there are software tools that are designed specifically for de-hashing passwords that have been compromised in previous data breaches.

An attacker only needs to upload two text files (called “dictionaries”). The first dictionary is typically composed of hashed password column entries from a hacked database. In this case, it would be the hashed passwords from the previous Animal Jam breach. The second column contains commonly-used passwords or combinations of words, symbols, and numbers. These combinations, when joined together, form the second dictionary. 

The de-hashing tool takes the second dictionary and the hashes already known by the attacker and compares it with the first dictionary hashes. If any of the hashes match, the password is identified by the program and is associated with the plain text value, giving the attacker all the de-hashed passwords in plain text. 

This might be how the threat actor who is selling the Animal Jam combo-list acquired a million passwords in a relatively short amount of time since the Animal Jam data breach. 

Which brings us to the moral of the story: never use weak passwords. And if you’re as bad at creating and remembering strong passwords as we are… please, for the love of all that is holy, use a password manager.