Online kids’ game Animal Jam confirms large breach

Personally identifiable information (PII) on as many as 46 million players of the online children’s game Animal Jam, including birth dates, gender, and parents’ full names and billing addresses, have been stolen in a cyber attack on a server at a third-party supplier used by the game’s developers WildWorks

Launched in 2010 as an “exciting and safe online playground for kids who love animals and the outdoors”, Animal Jam has approximately 130 million users and over 300 million individual avatars.

The database, seen circulating online in underground forums, is believed to have been stolen by a malicious actor using the alias ShinyHunters, and according to Bleeping Computer, which first reported the story, was likely taken in mid-October 2020.

Wildworks said the database contained email addresses connected to seven million Animal Jam and Animal Jam Classic parent accounts, 32 million player usernames associated with these accounts, encrypted passwords, 14.8 million player birth years, 23.9 million player gender records, 5.7 million precise player birthdates, 12,653 parents’ full names and billing addresses, and 16,131 parents’ full names without an associated address.

In a statement, WildWorks said: “We believe the information stolen was confined to the items listed above. No real names of children were part of this breach. Billing name and billing address were included in 0.02% of the stolen records; otherwise no billing information was stolen, nor information that could potentially identify parents of players.

“All Animal Jam usernames are human moderated to ensure they do not include a child’s real name or other personally identifying information.”

The firm learned of the attack on 11 November when threat researchers alerted it after spotting some of the data being posted at raidforums.com, a public forum, and at the time of writing it does not appear to have been circulated any further.

In its statement, WildWorks stressed that no other user data seemed to have been accessed, and all user databases have since been secured. As a precaution, all players are to be made to change their passwords immediately on their next login, and are advised to check their data on HaveIBeenPwned. If account holders have created accounts at any other online service using the same password, this should also be changed immediately. US law enforcement has also been notified.

KnowBe4 security awareness advocate Javvad Malik said it was reassuring to see WildWorks acting proactively in investigating the incident with such transparency. However, it said, it raised questions over how technology has become deeply embedded in daily life to the extent that even children’s games need to be linked to accounts that hold PII.

”It’s why, at a broad scale, manufacturing and technology need to work together to embed security not just in products, but create a culture of security that pushes good security practices to the forefront. While no one approach will be able to prevent all breaches, it’s important that data isn’t collected unless necessary, and the data that is collected is done for legitimate purposes and secured properly,” said Malik.

Comparitech’s Brian Higgins added: “WildWorks are clearly dealing with this attack in the most transparent and professional manner, but the data has already been compromised. 

“Their advice to users to change passwords and monitor use for potential phishing attacks is good and should be followed immediately. The period directly after a breach of this nature is made public is the most vulnerable to these kinds of further attacks as criminals will seek to exploit the worry and fear of parents, carers and family members while WildWorks seek to resolve the issue as safely as possible for all concerned.

“Any and all unsolicited contact should be passed to the authorities and not replied to or engaged with under any circumstances. Don’t click on any links or provide any information however worrying this situation may be. You will almost certainly make it worse.” 

Higgins added that given the data relates to minors, parents located in the UK may wish to draw on the resources of the police’s Child Exploitation and Online Protection (CEOP) service, which can be found online and Tweeting @CEOPUK.