Virtual children’s playground Animal Jam suffered a data breach that compromised 46 million user accounts. The incident, which took place in October, reportedly stemmed from a cyber attack on a third-party server used by the company.
Based on WildWorks’ blog post, the hacker gained access to the information after obtaining a key.
Animal Jam is an online world developed and created by WildWorks for kids aged seven to 11 first released in 2010. Threat Post states that the platform was marketed as a safe and educational space for the exploration of nature. It currently has players from over 225 countries.
According to Bleeping Computer, this virtual world allows children to play online games with other players. This platform boasts of more than 300 million animal avatars created by kids, with a new one added every 1.4 seconds.
A threat actor reportedly shared two databases from Animal Jam on a hacker forum called raidforums.com on November 11, 2020. The databases in question are titled ‘game_accounts’ and ‘users.’ The combination of the two contained around 46 million user records.
As part of the free release uploaded on the said forum, Bleeping Computer said that the threat actor released around seven million user records. From the records, the news site states that the data breach most likely occurred between October 10 and October 12 of this year.
WildWorks only found out about the incident after the malicious actor posted on the underground forum. In its blog post, it said it only learned of the incident on November 11, 2020, after they were alerted by security researchers.
Among the information made vulnerable to the public where email addresses used to create the account, usernames of players, encrypted passwords, gender, and birthday details. Moreover, parents’ full names and billing addresses were also exposed to the public.
However, the company emphasized that “no real names of children were part of this breach.” The information released also ensured that personally identifying information was not made available.
Following the incident, WildWorks notified the public about the breach, with the site providing a detailed FAQ portion in keeping with its advocacy of being a safety and privacy-centric company.
Apart from this, the company also advised users to update their passwords. The firm has also offered to provide additional assistance to affected players or individuals.
As of writing, the investigation surrounding the incident is still on-going. The company is coordinating with other law enforcement agencies and the FBI to help catch the attackers.