Zynga’s Words with Friends Data Breach: Judge Says No-Go on Class Action Lawsuit
Table of Contents
- By Dawna M. Roberts
- Published: Aug 12, 2021
- Last Updated: Mar 18, 2022
Mobile game developer Zynga suffered a data breach in 2019 that exposed users’ names, email addresses, passwords, phone numbers, and other personal data. As a result, the company faced four class-action lawsuits.
What Happened?
In a surprising move, on Friday, U.S. District Court Judge Yvonne Gonzalez Rogers threw the lawsuits out of court, saying that “The court grants the motion to compel arbitration and grants the motion to dismiss for lack of standing with leave to amend.”
Data Breach Today explains “Her reasoning: Users whose data was exposed agreed to terms and conditions specifying that any disagreements would be resolved via arbitration, and they also haven’t been able to prove they suffered any financial harm from the breach.”
The 2019 Data Breach That Launched Four Lawsuits
In September 2019, Zynga notified customers that it had suffered a massive data breach. In its initial notification, the company said, “Cyberattacks are one of the unfortunate realities of doing business today. We recently discovered that certain player account information may have been illegally accessed by outside hackers. An investigation was immediately commenced, leading third-party forensics firms were retained to assist, and we have contacted law enforcement.”
The Hacker News first reported the incident in 2019, saying that “a prolific Pakistani hacker known as Gnosticplayers claimed to be behind the attack, resulting in the theft of customer account information for more than 218 million users of Words With Friends.”
In the latest consolidation of the four lawsuits, the legal team for the plaintiffs said, “Hundreds of millions of people, including plaintiffs, trusted and believed Zynga’s promise to protect their personally-identifying information. Yet despite its promise, Zynga failed to protect its customers’ PII by, among other things, using outdated password encryption methods that were banned for use by federal governmental agencies as early as 2010.”
The lawsuit points to the use of the SHA-1 algorithm for password protection which cybersecurity experts know to be outdated and insecure. Experts recommend instead bcrypt or some other password-hashing algorithm.
Data Breach Today stated that “Zynga has continued to argue in court that the lawsuit should be moved to arbitration. After the consolidated class action was filed on April 27, Zynga again made a motion to compel arbitration for part of the claims, as well as to dismiss the other parts of the lawsuit, asserting that they had no Article III standing and also failed to state a claim.”
The Legal Loophole
The judge threw the lawsuit out and forced arbitration because no financial information was stolen in the data breach. Instead, the hacker got away with:
- “Usernames.
- Email addresses.
- Zynga login ID.
- “Hashed passwords, SHA1 with salt”.
- Password reset tokens, if they had been previously requested.
- Phone numbers, if provided by a user.
- Facebook ID, if provided by a user.
- Zynga account ID.”
Who is Zynga?
Zynga is a mobile game developer founded in 2007. Its most notable achievements are games like Words with Friends and FarmVille. The company claims to have 164 million active users per month.