Posted on April 19, 2020 at 1:45 PM
Reports today revealed that the personal data of about 23 million players of children game Webkinz World have been compromised. Hackers stole the account information from the gaming platform of Ganz Canadian Company and passed the passwords and usernames to the Dark Web.
Based on the report by security researchers, the breach occurred earlier this month, and the unnamed hacker has already sent some of the game’s database to a popular hacking forum.
According to the report, the 1GB file sent to the hacking forum contains about 23 million passwords and usernames, with passwords encrypted using the MD5-Crypt algorithm.
The hacker supposedly gained control of the game’s database through an SQL, as they took advantage of the vulnerability present in one of the gaming site’s web forums.
However, Webkinz has since corrected the flaw where the hacker used to gain access to its system.
Webkinz game was developed in 2015 and has since become one of the most popular games for children. The only game that stands ahead Webkinz for popularity is the Disney’s Club Penguin.
The company has already issued patches
The gaming company posted a message on its website informing the public of the recent patches and updates to their server. The parent company, Ganz, has archived accounts that have been dormant for the past 18 months as a measure to curtail further attacks and damages to the server.
The company said the action was necessary to maintain a high level of security against any further attack. It also informed users who have not been active for the past 7 years that their accounts will be deleted.
Please note that if an account remains inactive for 7 years, Ganz will then delete that account,” the company said.
Dormant account users can still reactivate their accounts
The company further provided information in case the user wants to reactivate any of the archived accounts. It stated that users who wish to reactivate their accounts can do so if they remember their credentials for the account. They should initiate the automatic account recovery process by login to the Webkinz World account. After 24 hours of successful reactivation, the user would be able to start using the account, Ganz added.
It’s unclear whether hacker stole more
Although there have been rumors about the data leak, researchers were only able to confirm it today after details of the hacked data were published on the hacking forum. The leaked data contains information about the users and other details about the parent’s email addresses. But it’s not clear whether the hackers stole more than the leaked amount
The hackers also succeeded in retrieving hashed versions of email addresses of users’ parents, although the hackers have not published this information yet.
At the time of writing, Ganz has not made any official statement about the recent development, even after they were contacted.
The purpose of the hackers not known
Webkinz is an online gaming platform that has expanded its primary business to include toy-making. These 23 million records are from kids that purchased the Webkinz toys.
Although the breach occurred since last month, the hackers decided to wait until today to post the leaked data to a popular online hacking forum.
In most hacking cases where the purpose of the hackers is not for ransom, they could be from competitors or just seeking for attention. It’s not yet clear why the hacker infiltrated the Webkinz platform because it doesn’t appear that a ransome was demanded by the hackers.
The company behind the Webkinz games and toy making company, Ganz, has cleverly engaged customers by linking its luxurious toys to customers. It places unique code on each of the toys, where buyers can enter the codes on the Webkinz World portal. The idea is to manage the virtual section of the toys efficiently. The game is a very popular one for kids in both the United States and Canada.