• About Us
  • Contact
  • Careers
  • Send Us a Tip
Menu
  • About Us
  • Contact
  • Careers
  • Send Us a Tip
CyberNews logo
Newsletter
  • Home
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
Menu
  • Home
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
CyberNews logo

Home » Security » Animal Jam data breach: 100,000 de-hashed user records leaked, 900,000 more sold on hacker forum

Animal Jam data breach: 100,000 de-hashed user records leaked, 900,000 more sold on hacker forum

by Edvardas Mikalauskas
9 December 2020
in Security
0
1 million Animal Jam player records leaked
31
SHARES

UPDATE (12-11-2020): According to WildWorks CEO Clark Stacey, the company “forced a password change on all Animal Jam accounts, notified users by email, and published [an] FAQ” about the breach immediately after its discovery. Stacey adds that “the decrypted passwords […] – if real – would not have been able to compromise Animal Jam accounts by the time they appeared.”

A database containing 900,000 user records from the free-to-play game Animal Jam is being sold on hacker forums, with another 100,000 records leaked as a proof-of-concept sample.

Animal Jam is a free-to-play pet simulator developed by WildWorks, a US-based game development studio. The game is available on iOS, Android, PC, and Mac, and has over 130 million registered accounts across all supported platforms. 

Recently, the game suffered a data breach where a database containing more than 50 million stolen player records, including email addresses and hashed passwords, has been leaked on a hacker forum.

Graphical user interface  Description automatically generated

It seems that it took about a week for a second hacker to de-hash about a million passwords from the previous database and put the plain-text data for sale on another hacker forum: the user records stored in the file that was posted on the hacker forum on November 17 include the players’ email addresses and passwords in plain text.

To see if your email address has been exposed in this or other security breaches, use our personal data leak checker.

What was leaked?

The file posted on the hacker forum contains what appears to be 100,000 Animal Jam user records, including email addresses and presumably de-hashed passwords stored in plain text. 

Example of leaked user records:

Graphical user interface, application  Description automatically generated

Such combinations of decrypted user credentials are also known as combo-lists, giving attackers ready-made, machine-readable strings. Combo-lists are typically used as input for automated authentication requests in various malicious activities, such as credential stuffing attacks.

What’s the impact of the leak?

Fortunately, the data found in the leaked file does not contain deeply sensitive information like document scans or credit card numbers. However, it can still be used against Animal Jam players in a variety of ways, such as:

  • Carrying out credential stuffing attacks in order to hack players’ accounts in other games 
  • Holding players’ Animal Jam accounts ransom
  • Spamming the victims’ email inboxes with malicious emails

Animal Jam is a free-to-play game that is targeted towards children and incorporates microtransactions. This means that selling stolen game accounts with unlocked premium features and cosmetics back to the affected players or their parents could net malicious actors a lot of money.

What to do if you have been affected?

If you (or your child) have an Animal Jam account and your data has been leaked on this hacker forum, we recommend you:  

  • Change your Animal Jam and email passwords immediately and consider using a password manager to create long, complex passwords
  • If you have been using an identical password for any other games or online services, change it there as well.
  • Watch out for potential phishing emails. Do not click on anything suspicious or respond to anyone you don’t know.
  • Enable two-factor authentication (2FA) on all your online accounts.

De-hashing: The danger of using weak passwords

Judging from the Animal Jam combo-list sample posted on the hacker forum, the vast majority of the de-hashed passwords were weak and contained commonly used words and word-number combinations. While hashing is similar to encryption in that it scrambles input data into semi-randomized output data, there’s a significant difference: hashing is a one-way process.

Competent threat actors are able to de-hash weak passwords by taking acquired lists of password hashes and comparing them with hashes of known weak hash combinations. This is because of the difference between hashing and encryption: identical combinations of symbols will have the same hash value. This means that if a certain commonly used password has been de-hashed once, every other identical password can be de-hashed using the same value.

In fact, there are software tools that are designed specifically for de-hashing passwords that have been compromised in previous data breaches.

An attacker only needs to upload two text files (called “dictionaries”). The first dictionary is typically composed of hashed password column entries from a hacked database. In this case, it would be the hashed passwords from the previous Animal Jam breach. The second column contains commonly-used passwords or combinations of words, symbols, and numbers. These combinations, when joined together, form the second dictionary. 

The de-hashing tool takes the second dictionary and the hashes already known by the attacker and compares it with the first dictionary hashes. If any of the hashes match, the password is identified by the program and is associated with the plain text value, giving the attacker all the de-hashed passwords in plain text. 

This might be how the threat actor who is selling the Animal Jam combo-list acquired a million passwords in a relatively short amount of time since the Animal Jam data breach. 

Which brings us to the moral of the story: never use weak passwords. And if you’re as bad at creating and remembering strong passwords as we are… please, for the love of all that is holy, use a password manager.

Share31TweetShareShare

Related Posts

The satellite-hacker’s guide to the space industry: don’t panic (yet)

The satellite-hacker’s guide to the space industry: don’t panic (yet)

27 January 2021
Man in front of multiple computers

North Korea has been targeting threat researchers

27 January 2021
Teespring data leaked on hacker forum

8+ million Teespring user records leaked on hacker forum

25 January 2021
Covid-19 vaccine

Covid vaccines are now an excuse to launch phishing attacks

22 January 2021
Next Post
Yandex robots start to deliver restaurant meals in central Moscow

Yandex robots start to deliver restaurant meals in central Moscow

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

Popular News

  • 70TB of Parler users’ messages, videos, and posts leaked by security researchers

    70TB of Parler users’ messages, videos, and posts leaked by security researchers

    83053 shares
    Share 83043 Tweet 0
  • The ultimate guide to safe and anonymous online payment methods in 2021

    13 shares
    Share 13 Tweet 0
  • 8 best cybersecurity podcasts for 2021

    56 shares
    Share 56 Tweet 0
  • Best alternatives to Gmail to protect your privacy

    481 shares
    Share 481 Tweet 0
  • Walmart-exclusive router and others sold on Amazon & eBay contain hidden backdoors to control devices

    13365 shares
    Share 13361 Tweet 0
Wall Street vs Main Street fight quashes hedge funds as GameStop keeps rallying

Wall Street vs Main Street fight quashes hedge funds as GameStop keeps rallying

27 January 2021
Google to stop using Apple tool to track iPhone users, avoiding new pop-up warning

Google to stop using Apple tool to track iPhone users, avoiding new pop-up warning

27 January 2021

‘World’s most dangerous malware’ Emotet disrupted

27 January 2021
The satellite-hacker’s guide to the space industry: don’t panic (yet)

The satellite-hacker’s guide to the space industry: don’t panic (yet)

27 January 2021
Man in front of multiple computers

North Korea has been targeting threat researchers

27 January 2021
GameStop extends Reddit driven hyper-rally after Musk tweet

GameStop extends Reddit driven hyper-rally after Musk tweet

27 January 2021
Newsletter

Subscribe for security tips and CyberNews updates.

Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!
Categories
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
  • VPNs
  • Password Managers
  • Secure Email Providers
  • Antivirus Software Reviews
Tools
  • Personal data leak checker
  • Strong password generator
About Us

We aim to provide you with the latest tech news, product reviews, and analysis that should guide you through the ever-expanding land of technology.

Careers

We are hiring.

  • About Us
  • Contact
  • Send Us a Tip
  • Privacy Policy
  • Terms & Conditions
  • Vulnerability Disclosure

© 2021 CyberNews

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.

Home

News

Editorial

Security

Privacy

Resources

  • About Us
  • Contact
  • Careers
  • Send Us a Tip

© 2020 CyberNews – Latest tech news, product reviews, and analyses.

Subscribe for Security Tips and CyberNews Updates
Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!