Hacker leaks 23 million usernames and passwords from Webkinz children's game

Exclusive: Webkinz security breach occurred earlier this month, sources have told ZDNet.

Webkinz

Image: Webkinz, ZDNet

A hacker has leaked today the usernames and passwords of nearly 23 million players of Webkinz World, an online children's game managed by Canadian toy company Ganz.

The Webkinz game launched in 2005 as the online counterpart of a line of Ganz plush toys. Users could enter a code from their plush toy on the Webkinz website where they could play and manage a version of their toy in the form of a virtual pet.

The game has been one of the most successful online children's games of the past decade next to Disney's Club Penguin.

However, today, an anonymous hacker has posted a part of the game's database on a well-known hacking forum. ZDNet has obtained a copy of the leaked file with the help of data breach monitoring service Under the Breach.

The 1 GB file uploaded online contained 22,982,319 pairs of usernames and passwords, with the passwords being encrypted with the MD5-Crypt algorithm.

webkinz-data.png

Image: ZDNet

Sources familiar with the hack have told ZDNet that the security breach took place earlier this month.

The hacker allegedly gained access to the game's database using an SQL injection vulnerability present in one of the website's web forms.

ZDNet has learned that details about the vulnerability have been circulating online before today's leak for months, both on hacking forums and on online IM chat groups.

webkinz-sql.png

Image: ZDNet

We've been told that besides username and password pairs, hackers were also successful in obtaining hashed versions of parents' email addresses; however, this data has not been leaked.

Sources told us that Webkinz staff had detected the intrusion and patched the hacker's point of entry into their systems.

In a support page on its website, Webkinz says it archives accounts that have been inactive for more than 18 months.

"For security purposes, during the archiving process, we remove all information associated to the account other than then User Name and Password," the company said. "Please note that if an account remains inactive for a period of 7 years, Ganz will then delete that account."

At the time of writing, it is unclear if hackers have stolen these "archived" accounts, or if the leaked data belongs to currently active users.

ZDNet has contacted Ganz for comment and to notify the company of the leaked data. A Webkinz spokesperson told ZDNet that they were, indeed, aware of an attack against its website, but did were not aware that it had succeeded.The company said that since they detected the attack they "added more security to the Parents Area."

"Webkinz has never asked for last names, phone numbers or addresses and all transactions happen through our eStore, which has its own servers and accounts, which are in no way accessible through Webkinz." a spokesperson told ZDNet. "So even if someone was to decrypt a password, there is no information of value on the accounts beyond the game data itself."

"A number of years ago we took extra efforts to improve our encryption techniques, so that if a day came where any data did get out, it would be protected. We are currently reviewing all of the points of entry into our data to ensure that a similar attack won't work elsewhere. We're also trying to discern whether the leaked data is recent or of any value. If we feel that any player accounts are actually at risk we will take further steps to force password changes," the company said.

Article updated on April 20, 03:00am ET with comments from Webkinz.