The notorious data broker known as “ShinyHunters” has allegedly sold two databases belonging to ‘Animal Jam’ containing the details of 46 million accounts. Those who bought it are now sharing them for free on a dark web forum, so the compromise has reached ultimate levels.
Bleeping Computer reports to have seen samples of the data, and confirmed its validity. Moreover, the data appears to have been stolen on October 12, 2020, based on the timestamps, so actors had a full month to exploit what was in the records.
‘Animal Jam’ is an online virtual playground that targets children between four and eight years of age. Developed and published by ‘WildWorks,’ it is a cross-platform MMO focused around the premise of education through fun.
The game features several limitations to make it safe for the youngsters, like a safe chat function that only allows the kids to pick canned phrases. However, it appears that WildWorks hasn’t done an excellent job in keeping the user data safe from hackers, which is very troublesome in this particular case.
WildWorks CEO Clary Stacey has confirmed that the hackers managed to steal the AWS key after compromising the company’s Slack server. The break-in was dealt with promptly by the IT team, and they found no evidence that any user data had been exfiltrated. However, the data is already freely shared on the dark web, so there’s no doubt about that anymore.
The company ran a deeper investigation into the matter and now confirms that the following stuff was accessed and potentially copied:
WildWorks has reset all user passwords now, so every player will be requested to set a new one when they get back to the game. While unfortunate, this is still an excellent opportunity to talk to your children about online safety, account security, password strength, and what constitutes exposure avoidance and mitigation practices.