Cyber Incident Victim: Ganz
Date:
Apr 2020
Location:
Canada
Summary
A hacker leaked approximately 23 million usernames and encrypted passwords from an online children's game via an SQL injection vulnerability, with compromised credentials hashed using MD5-Crypt. The attacker also accessed hashed parent email addresses, though this data was not publicly released. The breach was detected by the victim company, which patched the vulnerability and asserted that no sensitive personal or financial information was stored on the compromised servers due to prior encryption improvements and segregated transaction systems. The company indicated the leaked data might be outdated given archival policies removing inactive account details after 18 months, but confirmed an ongoing review of entry points and potential forced password resets if active accounts were deemed at risk.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In April 2020, an anonymous hacker leaked approximately 23 million username and password pairs from Webkinz World, an online children's game operated by Canadian toy manufacturer Ganz. The breach occurred earlier that month when the attacker exploited an SQL injection vulnerability in one of the website's web forms, gaining access to the game's database. Security researchers and data breach monitoring service Under the Breach confirmed the leaked data contained 22,982,319 credential pairs stored in a 1 GB file posted on a hacking forum. The passwords were encrypted using the MD5-Crypt hashing algorithm. According to sources familiar with the incident, hackers also obtained hashed versions of parents' email addresses during the intrusion, though this information was not included in the public leak. Webkinz staff detected the unauthorized access and subsequently patched the vulnerability used by the attacker. The company noted that archived accounts inactive for over 18 months had most personal information removed except usernames and passwords, with complete deletion occurring after seven years of inactivity, though the leak's specific impact on active versus archived accounts remained unconfirmed at the time of reporting.
Ganz confirmed awareness of the attack but initially stated they were uncertain about its success until the data appeared online. The company responded by enhancing security measures in the Parents Area section of their platform and initiating a review of all system entry points to prevent similar breaches. Webkinz emphasized that their systems did not store sensitive personal information like last names, phone numbers, or addresses, with all financial transactions processed through separate eStore servers inaccessible via Webkinz accounts. The company highlighted previous encryption upgrades designed to protect data in case of exposure and stated they were evaluating the leaked data's recency and value. Ganz committed to enforcing password resets if evidence emerged of active player account compromises but maintained that decrypted credentials would only expose game-related data rather than sensitive personal information. Security researchers noted that details about the SQL vulnerability had circulated in hacker forums and instant messaging groups for months prior to the breach.