Webkinz World, an online children’s game managed by Canadian toy company Ganz has become a victim of a cyber attack. As per a report by ZDNet, a hacker leaked the usernames and passwords of nearly 23 million players of the game.
The publication reported that the hacker posted a part of the database on a hacking forum, which they obtained with the help of data breach monitoring service Under the Breach. The 1GB file contained 22,982,319 pairs of usernames and passwords where the passwords have been encrypted with the MD-5Crypt algorithm.
Webkinz World is the online counterpart of a line of Ganz plush toys launched as early as 2005. The game has been reportedly one of the most successful online children’s games of the past decade next to Dinsey’s Club Penguin. To play Webkinz World, users need to enter a code from their plush toy. It allows them to manage a virtual version of their toy in the virtual world as a pet.
According to the publication, the Webkinz security breach took place earlier this month when the hacker allegedly gained access to the game’s database using an SQL injection vulnerability present in one of the web forms of the website.
As per the report, the vulnerability had been circulating online for months on hacking forums and on online IM chat groups. Also, besides the username and passwords, hackers were also successful in obtaining hashed versions of parents’ email address, which as per the publication has not been leaked.
Express Tech is now on Telegram. Click here to join our channel (@expresstechnology) and stay updated with the latest tech news
ZDNet reported that the Webkinz staff had detected the intrusion and patched the hacker’s point of entry into their system. A Webkinz spokesperson told the publication that they were aware of an attack against its website but did not know that it had succeeded. The company said that since they detected the attack, they added more security to the Parents Area.
The spokesperson also told ZDNet that Webkinz never asked for last names, phone numbers, or addresses so even if someone was to decrypt a password, there is no information value on the accounts beyond the game data itself. All transactions happen through their eStore which has its own servers and accounts and cannot be accessed through Webkinz, hence, that data is safe.