Data Stolen From 218 Million Words With Friends Users

Info stolen from gaming giant Zynga includes names, email addresses, login IDs, phone numbers, and Facebook IDs

words with friends iStock-459223367

As many as 218 million consumers who play—or used to play—Zynga's popular Words With Friends game have been advised to change their passwords after a hacker gained access to personal data in September.

A hacker using the online alias Gnosticplayers accessed information for all iOS and Android users who signed up for Words With Friends before September 2 of this year, according to The Hacker News.

The stolen information, revealed to the news site by the hacker, reportedly included names, email addresses, login IDs, hashed (scrambled) passwords, Zynga account IDs, and in some cases, phone numbers and Facebook IDs. The same hacker reportedly sold almost a billion user records from dozens of popular sites earlier this year.

In a statement, Zynga provided little detail on what data had been stolen but said that no financial information was compromised. The gaming giant says that it has taken steps to protect accounts, and that many users will be prompted by email notification to reset their passwords.

You should change your password even if it's not clear that your account has been affected, security experts say.

"You want to create a strong password that's unique, and not shared with any other online accounts, especially important accounts like social media logins or bank accounts," says Justin Brookman, director of privacy and technology policy at Consumer Reports. "And stitching a bunch of random words together is more effective than [using common tactics such as] changing an 'i' to a '1' or exclamation point."

More on Data Breaches

If you used your Words With Friends password for any other online account, it's prudent to change the password there, as well.

Though the hacker reportedly gained access to millions of Facebook IDs, Zynga says that Facebook passwords were not stolen. "Zynga does not collect your passwords for Facebook, Android, or iOS, and we have no indication that this information was involved in the event," the company wrote.

A close reading of Zynga's privacy policy suggests that the company collects far more information than your favorite high-value, five-letter words. The company encourages users to share their phone contacts, and it may collect location data through users' smartphones.

If you access the service through Facebook, Zynga may also collect information about your Facebook friends, the email address you use with Facebook, your birthday, and more. That information is retained for as long as the player's account is open, and in some cases even longer.

Words With Friends was created in 2009 and became one of the first widely popular social media games for mobile devices. Zynga has long been one of the world's largest providers of online games, also including popular titles like Farmville, Cityville, and Zynga Poker.

Some of the games were extremely popular on Facebook for several years before the company says it tightened its controls on how much data app companies could download. (That was the period when the data used by the political consulting firm Cambridge Analytica was downloaded, Facebook has said.) Zynga and Facebook have not responded to Consumer Reports' requests for comment.

Zynga maintains that most of its other games were not affected by the breach, although user data was stolen from Draw Something and the now-defunct OMGPOP game, according to Hacker News. That data included valuable non-hashed passwords.

“Consumers should ask if Zynga needs all of this information," says Bobby Richter, program manager of privacy and security testing at Consumer Reports.

If you're no longer playing Words With Friends, you might want to think about closing your account and deleting the data associated with it. The company can send you a copy of the data it has collected about you—requests are processed in anything from a few hours to a few days, according to the company. You can delete that data within 30 days of the request. The company says that in most cases, deleting data for one game won't affect your ability to continue to play another Zynga game.

Digital Housekeeping

Do you ever feel overwhelmed by the number of log-ins and passwords you have? On the "Consumer 101" TV show, Consumer Reports’ expert Bree Fowler explains to host Jack Rico how to find and eliminate old online accounts.

Allen St. John

I believe that technology has the power to change our lives—for better or for worse. That's why I’ve spent my life reporting and writing about it for outlets of all sorts, from newspapers (such as the Wall Street Journal and the New York Times) to magazines (Popular Mechanics and Rolling Stone) and even my own books ("Newton’s Football" and "Clapton’s Guitar"). For me, there's no better way to spend a day than talking to a bunch of experts about an important subject and then writing a story that'll help others be smarter and better informed.