The details of 218 million users of “Words with Friends,” a popular social game made by Zynga Inc., have allegedly been stolen by a Pakistani hacker.

Gnosticplayers, the same hacker behind the theft of 139 million user records from Canva Pty. Ltd. in May and 93 million user records for a variety of sites in March, told The Hacker News that he breached the database related to the game Sept. 2.

Data stolen included names, email addresses, login IDs, hashed and salted passwords, requested password reset tokens, provided phone numbers, Facebook ID if the user had connected and Zynga account ID.

Zynga has not publicly responded to the report, but the company quietly published a “player security announcement” Sept. 12 that confirmed the hack. The announcement stated that “certain player account information may have been illegally accessed by outside hackers.”

In addition to the theft of user data from “Words with Friends,” the hacker also claims to have stolen 7 million records relating to other Zynga games, including “Draw Something” and “OMGPOP.” Some of those records are said to include clear-text passwords.

Kevin Gosschalk, chief executive officer of cybersecurity firm Arkose Labs Inc., told SiliconANGLE that it’s as though fraudsters are showing how diverse their industry portfolio is.

“In the past three months, consumers could have had their identity breached by applying for a credit card with the largest card company, ordering food on a popular delivery app, signing up for a movie membership card, participating in online dating or even playing a game on their phone,” Gosschalk said. “No industry is safe if it involves user data.”

This breach is significant, he added, not just because of the sheer number of consumers affected but because the demographic is diverse.

“Zynga’s portfolio includes games that are popular with many different age groups, ranging from ‘Words with Friends,’ where half of users are above the age of 45, to the game ‘Draw Something,’ which has an age rating of four-plus,” he noted. “Children are not actively tracking or monitoring their digital footprints and identity usage, which gives criminals a long runway to farm identities and destroy a child’s digital footprint well before they even graduate high school.”

Robert Prigge, president of identity verification company Jumio Corp., said the exposed information is sure to find a home on the dark web, enabling fraudsters to log into user accounts and commit account takeover fraud. “Because these games are often connected to user Facebook accounts, hackers can gain access to far more information under a forged identity,” he said.

How the hack took place is not yet known, but Ilia Kolochenko, founder and chief of web security company ImmuniWeb, speculated that it might be yet another case of unsecured cloud storage. “In light of the reported inclusiveness of compromised data, it may well be a breach related to unprotected backup available in a cloud or elsewhere,” Kolochenko suggested.

The one upside, he added: So far, Zynga’s response seems to be adequate.

Photo: gamesforchange/Flickr