A security breach on the famous children’s game: Webkinz World, has jeopardized the credentials of nearly 2.3 crore users of online children’s game according to a report.
The game launched back in 2005 as the online counterpart of a line of Ganz plush toys. Users could enter the code that was on their plush toys on the Webkinz website where they could play and manage a version of their toy in the form of a virtual pet.
On 18thApril, an anonymous hacker broke through the games defences and released a part of the game’s database on a well-known hacking forum. The file uploaded was of 1GB and contained22,982,319 pairs of usernames and passwords, with the passwords being encrypted with the MD5-Crypt algorithm. This breach was a result of an SQL injection vulnerability present in one of the website’s web forms. Hackers were successful in obtaining the hashed versions of parents’ email addresses; however, this data has not been leaked.
Apparently, Webkinz and its staff had detected the breach and they patched the hacker’s point of entry. On the website’s support page it said “For security purposes, during the archiving process, we remove all information associated to the account other than then User Name and Password,” the company said. “Please note that if an account remains inactive for a period of 7 years, Ganz will then delete that account.”
ZDNet contacted Ganz for a comment and a spokesperson said “Webkinz has never asked for last names, phone numbers or addresses and all transactions happen through our eStore, which has its own servers and accounts, which are in no way accessible through Webkinz. So even if someone was to decrypt a password, there is no information of value on the accounts beyond the game data itself.” This is a relief for the users affected as their credentials are not of much use and lack personal information.
“A number of years ago we took extra efforts to improve our encryption techniques so that if a day came where any data did get out, it would be protected. We are currently reviewing all of the points of entry into our data to ensure that a similar attack won’t work elsewhere. We’re also trying to discern whether the leaked data is recent or of any value. If we feel that any player accounts are actually at risk we will take further steps to force password changes,” the company said.