A well-known hacker is taking credit for a data breach at the mobile game maker Zynga, claiming he gained access to 218 million user records.

On Sept. 12, Zynga reported that a cybersecurity incident had taken place and account login information for certain players of Draw Something and Words With Friends may have been accessed. The company did not give any details on the hack or number affected, but said it has taken steps to protect the accounts in question.

The Hacker News said it has been in contact with the hacker Gnosticplayers, who painted a much different picture concerning what transpired. He claimed to have gained entry to a database of more than 218 million game players and gave the news organization some samples on the stolen data. The hacker said the data is from all Android and iOS players who signed up for Words with Friends before September 2 and includes:

  • Names
  • Email addresses
  • Login IDs
  • Hashed passwords, SHA1 with salt
  • Password reset token (if ever requested)
  • Phone numbers (if provided)
  • Facebook ID (if connected)
  • Zynga account ID

Gnosticplayers is well known for stealing and then selling data. In February he posted 93 million stolen records for sale on the dark web, followed by another 26 million in March, with yet another dump of 139 million records in May.

“While a breach is always unfortunate, it is encouraging to see that Zynga had sufficient monitoring in place to detect the breach and notify its customers. What is not so encouraging is seeing a subset of several million users passwords which had been stored in cleartext. In today’s day and age, no company should be storing cleartext passwords,” said Javvad Malik, security awareness advocate, KnowBe4. “With many users frequently reusing passwords, the breach of this nature can lead to other accounts of individuals being compromised, particularly as the breach also contained email addresses.”