Data Stolen From 218 Million Words With Friends Users

Info stolen from gaming giant Zynga includes names, email addresses, login IDs, phone numbers, and Facebook IDs

Allen St. John, Consumer Reports Senior Home & Tech Writer.

By Allen St. John
Senior Home & Tech Writer

October 1, 2019

As many as 218 million consumers who play—or used to play—Zynga's popular Words With Friends game have been advised to change their passwords after a hacker gained access to personal data in September.

A hacker using the online alias Gnosticplayers accessed information for all iOS and Android users who signed up for Words With Friends before September 2 of this year, according to The Hacker News.

The stolen information, revealed to the news site by the hacker, reportedly included names, email addresses, login IDs, hashed (scrambled) passwords, Zynga account IDs, and in some cases, phone numbers and Facebook IDs. The same hacker reportedly sold almost a billion user records from dozens of popular sites earlier this year.

In a statement, Zynga provided little detail on what data had been stolen but said that no financial information was compromised. The gaming giant says that it has taken steps to protect accounts, and that many users will be prompted by email notification to reset their passwords.

You should change your password even if it's not clear that your account has been affected, security experts say.

"You want to create a strong password that's unique, and not shared with any other online accounts, especially important accounts like social media logins or bank accounts," says Justin Brookman, director of privacy and technology policy at Consumer Reports. "And stitching a bunch of random words together is more effective than [using common tactics such as] changing an 'i' to a '1' or exclamation point."

If you used your Words With Friends password for any other online account, it's prudent to change the password there, as well.

Though the hacker reportedly gained access to millions of Facebook IDs, Zynga says that Facebook passwords were not stolen. "Zynga does not collect your passwords for Facebook, Android, or iOS, and we have no indication that this information was involved in the event," the company wrote.

A close reading of Zynga's privacy policy suggests that the company collects far more information than your favorite high-value, five-letter words. The company encourages users to share their phone contacts, and it may collect location data through users' smartphones.

If you access the service through Facebook, Zynga may also collect information about your Facebook friends, the email address you use with Facebook, your birthday, and more. That information is retained for as long as the player's account is open, and in some cases even longer.

Words With Friends was created in 2009 and became one of the first widely popular social media games for mobile devices. Zynga has long been one of the world's largest providers of online games, also including popular titles like Farmville, Cityville, and Zynga Poker.

Some of the games were extremely popular on Facebook for several years before the company says it tightened its controls on how much data app companies could download. (That was the period when the data used by the political consulting firm Cambridge Analytica was downloaded, Facebook has said.) Zynga and Facebook have not responded to Consumer Reports' requests for comment.

Zynga maintains that most of its other games were not affected by the breach, although user data was stolen from Draw Something and the now-defunct OMGPOP game, according to Hacker News. That data included valuable non-hashed passwords.

“Consumers should ask if Zynga needs all of this information," says Bobby Richter, program manager of privacy and security testing at Consumer Reports.

If you're no longer playing Words With Friends, you might want to think about closing your account and deleting the data associated with it. The company can send you a copy of the data it has collected about you—requests are processed in anything from a few hours to a few days, according to the company. You can delete that data within 30 days of the request. The company says that in most cases, deleting data for one game won't affect your ability to continue to play another Zynga game.

Digital Housekeeping

Do you ever feel overwhelmed by the number of log-ins and passwords you have? On the "Consumer 101" TV show, Consumer Reports’ expert Bree Fowler explains to host Jack Rico how to find and eliminate old online accounts.

Allen St. John

Allen St. John has been a senior product editor at CR since 2016, focusing on digital privacy, audio devices, printers, and home products. He was a senior editor at Condé Nast and a contributing editor at publications including Road & Track and The Village Voice. A New York Times bestselling author, he's also written for The New York Times Magazine, The Wall Street Journal, and Rolling Stone. He lives in Montclair, N.J., with his wife, their two children, and their dog, Rugby.