A hacker has leaked the usernames and passwords of almost 23 million players of Webkinz World which is an online game for children managed by Canada based toy company Ganz.
The Webkinz game which was started as the online counterpart of a line of Ganz plush toys was launched in 2005. It is a very successful online children’s games for the past decade.
The user can play by entering a code from their plush toy on the Webkinz website and can also manage a version of their toy like a virtual pet.
A part of the game’s database was posted on a famous hacking forum by an anonymous hacker. The 1 GB file uploaded online contained 22,982,319 pairs of usernames and passwords, and the passwords were encrypted using MD5-Crypt algorithm.
The hacker reportedly attained access to the game’s database using an SQL injection vulnerability found in one of the website’s web forms. However, it was found that details about the vulnerability were circulating online for months, both on hacking forums and on online IM chat groups. According to some sources, the security breach took place earlier this month.
Besides username and password, the hacker also managed to obtain hashed versions of parents’ email addresses. But this data has not been leaked.
Webkinz staff on detecting the intrusion has patched the hacker’s point of entry into their systems.
Webkinz said in a support page on its website, that it archived accounts that have been inactive for more than 18 months and that during the archiving process they remove all information associated to the account other than the User Name and Password for security purposes. They also warned that if an account remains inactive for a period of 7 years, they would delete that account.
It is however not sure whether the hackers leaked these “archived” accounts, or whether the leaked data belongs to currently active users.