Zynga Discovers Data Breach Related to Unauthorized Access to Player Account Information
Zynga’s “Player Security Announcement” 

In September 2019, Zynga posted a “Player Security Announcement” which disclosed that “[Zynga] recently discovered that certain player account information may have been illegally accessed by outside hackers.”  Zynga reported that “[w]hile the investigation is ongoing, [Zynga does] not believe any financial information was accessed.  However, [Zynga has] identified account login information for certain players of Draw Something and Words With Friends that may have been accessed.”

Reported Class Action Lawsuit Filed Against Zynga 

PocketGamer.biz reported (“Zynga struck with lawsuit regarding Words with Friends data breach“) that

US games developer Zynga has been struck with a class action lawsuit in California regarding the company’s data breach in 2019.

As reported by GamesIndustry.biz, the studio is facing a court case surrounding stolen player information across Words with Friends and Draw Something users.

. . .

In September last year, the company revealed player account information had been accessed via a cyber-attack. While no financial data was believed to have been accessed, the hackers did obtain entry to an estimated 173 million usernames and passwords.

Zynga, Inc.’s Alleged Failure to Reasonably Safeguard Personally Identifiable Information

On March 3, 2020, a class action complaint was filed against Zynga, Inc. in United States District Court for Zynga’s alleged “failure to reasonably safeguard Plaintiffs’ Personally Identifiable Information (‘PII’) . . . failure to reasonably provide timely notification that Plaintiffs’ PII had been accessed and acquired by an unauthorized third party through a data breach, and for intentionally and unconscionably deceiving Plaintiffs relating to the status, safety, location, access, and protection of Plaintiffs’ PII.”

The class action complaint stated that

[i]n September 2019, hacker Gnosticplayers (‘Hacker’) told . . . The Hacker News that he breached Zynga’s user database, gaining access to more than 218 million user accounts.[]

The Hacker said that the stolen information included names, email addresses, login IDs, password reset tokens, Facebook IDs, Zynga account IDs, and passwords secured with SHA-1 cryptography, an encryption method that ‘has been considered outdated and insecure since before Zynga was even founded.[]

According to reports, the data breach is known to have included at least the following Zynga games: Words With Friend; Draw Something; and OMGPOP. [Emphasis added.]

On September 12, 2019, Zynga, according to the class action complaint,

posted a ‘Player Security Announcement’ on its website stating that it “recently discovered that certain player account information may have been illegally accessed by outside hackers.[]

Rather than taking responsibility for its cybersecurity shortcomings, Zynga’s Player Security Announcement implied that data breaches are impossible to avoid. The first sentence of the Player Security Announcement says that ‘Cyber attacks are one of the unfortunate realities of doing business today.’

Zynga did not, and has not to this day, issued an email notification of the breach to its users. Rather, Zynga effectively hid the fact that it suffered a data breach. Only those users who happened to visit Zynga’s website on their own volition, read about the breach in the news, or had signed up to receive email data breach notifications from independent third parties that monitor data breaches were made aware of the breach.

Zynga had the ability to send an email notification to all users because providing an email address appears to be a universal requirement Zynga imposes on all users when going through the registration process.

Rather than sending an email to all users at the time of the breach, Zynga spent its time shoring up its legal defenses.

Some Zynga users first learned of the breach through receipt of an email alert from the website ‘Have I Been Pwned,’ which allows users to sign up for notifications when their [Personally Identifiable Information] is included in a data breach. That alert was not sent until December 18, 2019. The unfortunate reality is that most Zynga users are still completely unaware that their PII was stolen as a result of the Zynga data breach, because Zynga failed to reasonably advise them.

Further, according to the class action complaint, “[t]he information stolen from Zynga included names, phone numbers, usernames, email addresses, and passwords-PII that is highly valued among cyber thieves and criminals on the Dark Web.”  Additionally, the complaint states that “. . . the Hacker obtained over 200 million passwords, including more than 7 million passwords that Zynga had stored in clear text, as a result of the data breach.” [Emphasis added.]

Have You Been Impacted by A Data Breach?

If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.

Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.

Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs.  Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.

Kehoe Law Firm, P.C.