218 Million Users of “Words With Friends” Had Their Data Stolen by Hackers

Last updated September 28, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

According to a report by “The Hacker News”, a Pakistani hacker nicknamed “Gnosticplayers” has managed to breach the servers of Zynga Inc. and steal user data of 218 million people, players of the “Words with Friends” game. The person responsible for the hack is the same who had managed to compromise Android apps in the past. In January, he put the credentials of 620 million accounts up for sale and cynically stated that it’s all about the money, he’s just a tool of the system, and that security is just an illusion.

This time, the particular hacker managed to hit a vein of gold, as “Words with Friends” is a very popular multiplayer crossword-puzzle game that has been around since over a decade. The hacker managed to access a server containing a database that held the data of more than 218 million users of the game, but this number isn’t representative of the entire player-base. According to the hacker, the particular breach affects all players who installed the particular app before September 2, 2019, both on the iOS and the Android platforms. Zynga realized the breach, and actually announced it about two weeks ago, promising to personally notify all players who have been affected.

Gnosticplayers shared some data to showcase what’s for sale. The sample entries include the people’s names, their email addresses, their login IDs, the hashed passwords (SHA1), and the Zynga account IDs. In the cases that apply, there’s also the Facebook ID, the password reset tokens, and the user’s phone number. These concern the “Words with Friends” game, but there is also a subset of data belonging to a lesser number of players of “OMGPOP” and “Draw Something”. In regards to these games, the hacker holds clear text passwords which correspond to 7 million users.

If you are playing a game developed or released by Zynga, you’d better reset your password. Don’t forget that if you are using the same password elsewhere, you should reset that one too. If you’re playing the game on Facebook, you should reset your Facebook password as well. Finally, if you wish for Zynga to wipe your data from their servers and minimize the chances of having it exposed in the future, you may request it on the company’s “Personal Data Request Portal”. Deletion requests are processed within 30 days.

Do you have something to comment on the above? Let us know of your opinion in the section beneath, or on our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: