Breach Notification , Encryption & Key Management , Incident & Breach Response
How a Game Developer Leaked 46 Million Accounts
WildWorks Data Breach Shows Danger of Sharing Sensitive Keys Over ChatChat and collaboration tools such as Slack are critical for software development teams. But a data breach experienced by Utah-based software developer WildWorks illustrates why developers should think twice before sharing sensitive database keys over chat.
See Also: OnDemand | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
WildWorks is notifying millions of parents of a data breach that compromised 46 million accounts for a desktop and mobile kids' game called Animal Jam. Notifications are also being sent from Have I Been Pwned, the data breach notification service from Australian breach expert Troy Hunt.
A database containing the data was advertised Tuesday on a well-known hacker forum for the buying and sharing of data. The records span from when Animal Jam was created around 2010 until the present, according to Clark Stacey, CEO of WildWorks.
The 46 million exposed records include usernames and salted password hashes, plus full birthdates of children for 5.7 million accounts and birth years for 14.8 million accounts. The gender of children was indicated for 24 million accounts. Seven million of those accounts contained email addresses for accounts linked to Animal Jam and Animal Jam Classic. No full names of children were leaked, however, which may mitigate the impact of birth dates being leaked.
"Understand that the profile of our typical threat actor is a bored teenage boy. Clearly, this was a much more sophisticated attack than it appeared a month ago."
—Clark Stacey, CEO, WildWorks
Animal Jam is a role-playing game Wildworks launched in 2010 in partnership with National Geographic Kids. Designed as a game to learn about wildlife, users furnish a “den” by collecting or buying special items, and the game allows users to interact with other players via chat.
A 2016 review of the game in The Washington Post was complimentary but highlighted some less attractive aspects, including a semi-creepy chat experience and a smidge of online bullying.
The tale behind how Animal Jam’s database was compromised should serve as a warning to software developers about how careful they need to avoid sharing sensitive credentials over services such as Slack.
Snatching the Key
WildWorks detected the breach after it occurred between Oct. 10 and 12, but it initially appeared no data from Animal Jam’s MySQL database had been exfiltrated, Stacey says. Viewing the breach as low risk, the company opted not to notify its users.
Around the same time, WildWorks CTO Beau Brewer says he was notified by Slack that someone had gained access to his account. Slack had detected oddities, including that Brewer’s account was used to post anime music videos on numerous channels, he says.
How Brewer's Slack account was compromised remains a mystery. He says he used a strong password and had two-step verification enabled. He used Authy to generate the access code. Slack, he says, has refused to provide details on how his account was compromised.
Slack disputes this, however, and says that Brewer did not have 2FA on his account. “This may have been the result of malware or the re-use of credentials previously exposed,” it says in a statement.
Brewer says he immediately forced a reset on all active Slack sessions and reset his password. Slack provided Brewer with a list of Slack channels and files that were accessed by the attacker. Unfortunately, one of the files contained an Amazon Web Services key that had been shared with him by a WildWorks developer.
“We deactivated the key in AWS, but apparently it wasn’t before they were able to spin up an instance via EC2 and gain access to our database,” Brewer says.
During its investigation, Stacey says, WildWorks found that the server the attacker had launched used a curl command to reach the Animal Jam database but didn’t do anything else.
It’s now suspected, however, that the attacker may have spun up the EC2 instance and then tunneled through to the database, which Stacey says didn’t leave a telltale command trace.
Stacey says WildWorks probably should have quickly notified its users, “but understand that the profile of our typical threat actor is a bored teenage boy.”
“The Slack intruder announced himself by posting obvious nonsense to Beau’s account, which made us think one of the script kiddies always poking at Animal Jam found a Slack zero-day on a forum somewhere and came in to vandalize and show off,” Stacey says. “We clamped down to secure anything they accessed, then felt relieved that they hadn’t found a way to get into any sensitive user data. Clearly, this was a much more sophisticated attack than it appeared a month ago.”
Slack also disputes Stacey’s statement. “There has been no breach to Slack's infrastructure,” the company says.
WildWorks’ situation highlights a trend in data breaches, Hunt says.
“We as an industry seem to be at this point where a single thing going wrong is bringing down the whole house of cards,” he says.
What Was Breached
The 7 million email accounts belong to parents, whom Animal Jam requests register so they can provide consent for their child to create an account, Stacey says. Those parents also get access to a control panel to monitor their child’s account.
At least 32 million player usernames were also compromised. Stacey says, however, that WildWorks’ system prevents a child from using their real name as a username, and the selection of usernames is moderated by people.
The breach also compromised other personally identifiable information, Stacey says. For 12,653 accounts, the names and billing addresses of some parents who created accounts around 2010 were exposed. Also, 16,131 accounts contained a parent’s first and last name but no billing address. No financial data was compromised.
Stacey says WildWorks will send email notifications to users and has posted an FAQ about the breach on its website. It is also preparing a report for the FBI’s Cyber Task Force. All players will have to change their passwords.
“WildWorks is a small company, but we take player security very seriously,” Stacey says.
SHA1: Problematic
Setting aside the PII that was leaked, the biggest concern about this breach may be the salted password hashes. "Salting" is an extra security measure to thwart cracking.
The original post advertising the data for sale indicated the hashes used SHA1 and that 13 million of them had been cracked, meaning plain-text passwords have been discovered. Brewer says, however, “We don’t currently have reason to believe that the hackers responsible can decrypt the salted/hashed passwords in this breach.”
SHA1 has been considered an insufficient hashing algorithm for nearly a decade. Hashing is a one-way process that turns a plain-text password into a cryptographic representation of it, which, in theory, is impossible to discover.
The National Institute of Standards and Technology in 2011 deprecated the use of SHA1 due to the rising potential for collision attacks, in which two different files could share the same SHA1 hash. Also, advancing computing power and new attack techniques have made it easier to crack SHA1 hashes.
Even SHA1 hashes that are salted are ineffective, as pointed out eight years ago in this blog post by Hunt.
Most organizations now use bcrypt to hash passwords. Bcrypt is more resistant to efforts to brute-force attempts. Generating random bcrypt hashes is slower than generating SHA1 or other hashing algorithms.
Brewer says WildWorks plans to move to bcrypt before the end of the year. In the meantime, it has been using PBKDF2 v2.
Nonetheless, Hunt says that means there’s probably a large pool of people who now should change their password on other services where their Animal Jam password may have been reused.