Animal Jam - Data Breach Passwords

The severity of storing plain text passwords did not go unnoticed by the legal system. A class action lawsuit was filed against WildWorks in the United States District Court for the District of Wyoming (Case 2:21-cv-00090).

The plaintiffs alleged:

The lawsuit highlighted that WildWorks had been warned by security researchers years prior about their poor password storage but failed to act due to "legacy code" issues. The outcome of the litigation resulted in undisclosed settlement costs, but the reputational damage was permanent.

While the public became widely aware of the breach in late 2020, evidence suggests that the attacker had access to WildWorks’ servers for much longer.

  • Root cause (likely): Inadequate protection of credentials (weak hashing, plaintext storage, or compromised admin credentials), or successful intrusion via vulnerable web app/API.
  • Evidence needed:
  • Immediate actions taken / recommended (priority order):
  • Long-term recommendations:
  • Customer notification template (short): "We recently identified unauthorized access to our user authentication database. We are resetting passwords for impacted accounts and recommend changing passwords on other services if reused. We are investigating and have taken steps to secure systems."
  • Metrics to track post-incident:

    • If you want, I can:

    Which of those would you like next?

    The following is a briefing paper analyzing the 2020 Animal Jam data breach, focusing on password security and the subsequent impact on the platform's user base. Case Study: The 2020 Animal Jam Data Breach Executive Summary Animal Jam Data Breach Passwords

    In October 2020, WildWorks, the developer of the popular children’s virtual world Animal Jam , suffered a significant data breach. Approximately 46 million player records

    were compromised, including encrypted passwords and personal identifiers. This incident remains one of the largest data exposures targeting a platform primarily used by minors. 1. Incident Overview Discovery:

    The breach was confirmed in October 2020 after stolen data began appearing on hacking communities like RaidForums Methodology:

    The breach originated from a compromised third-party server used for internal communication, allowing hackers to gain unauthorized access to the database. 46 million user accounts were affected, including over 7 million unique email addresses belonging to parents. 2. Compromised Data Categories

    The stolen dataset included a variety of sensitive information: Usernames: Both account-specific names and real-world parent names. Passwords:

    While the passwords were encrypted (hashed), they were part of the released database. Personal Identifiers: The severity of storing plain text passwords did

    IP addresses, birth years, genders, and parent email addresses. Billing Information:

    No full credit card details were exposed, though some billing addresses were included in specific records. 3. Password Vulnerability and Mitigation The Risk of Hashed Passwords

    Although passwords were encrypted, hackers often use "brute force" or "dictionary attacks" to crack simple or common passwords within breached datasets. According to security analysts at Have I Been Pwned

    , exposed credentials put users at risk of "credential stuffing," where attackers use known email/password combinations to access other accounts. Institutional Response

    Following the breach, WildWorks took the following corrective actions: Forced Resets:

    All players were required to change their passwords immediately upon their next login. Parental Notification: The lawsuit highlighted that WildWorks had been warned

    Emails were sent to registered parents explaining the scope of the breach and providing safety instructions. Security Overhaul:

    The company enhanced its encryption methods and discontinued the use of the compromised third-party service. 4. Current Safety Recommendations

    To prevent further unauthorized access, cybersecurity experts recommend: Password Complexity:

    Using the "3-word rule" to create long, unique passwords (e.g., CoffeeBatterySunset ) that are difficult for hackers to crack. Credential Monitoring: Using tools like F-Secure Identity Theft Checker Apple's Password Monitoring to see if personal data has been leaked in past breaches. Multi-Factor Authentication (MFA):

    Enabling secondary verification whenever available to provide a layer of security beyond just a password. Conclusion

    The Animal Jam breach highlights the persistent threat to children’s digital privacy. While WildWorks successfully forced password resets to mitigate immediate damage, the permanence of the leaked data on the dark web serves as a reminder for users to practice rigorous password hygiene across all online platforms. specific tools

    to check if your account was included in this breach or learn about advanced encryption methods like hashing? Animal Jam Data Breach - Have I Been Pwned