The online game Webkinz World, the virtual portal for the plush toys from Ganz, reportedly experienced a data breach earlier this month, leading to a hacker leaking usernames and passwords for nearly 23 million players this past weekend. According to ZDNet, the exploited vulnerability had been circulating for some time, but this appears to be the first example of it being used.
Videos by ComicBook.com
Webkinz, if you’re not familiar, are basically physical plush toys that folks can use a code from to access and play with a virtual version of them online. Allegedly, the hacker gained access to the game’s database using SQL injection via one of the website’s forms. According to ZDNet’s sources, the hacker’s point of entry has since been patched.
The passwords are reportedly encrypted with the MD5-Crypt algorithm, and there’s as of yet seemingly been no reports of accounts being accessed thanks to the data breach. It’s unclear whether these leaked usernames and passwords belong to active accounts or archived ones, with the latter having all other information removed from it, according to Ganz.
Webkinz acknowledged the reported data breach yesterday with a brief update on social media:
โ Webkinz by Ganz (@webkinz) April 19, 2020
“Webkinz has never asked for last names, phone numbers or addresses and all transactions happen through our eStore, which has its own servers and accounts, which are in no way accessible through Webkinz,” a spokesperson later told ZDNet. “So even if someone was to decrypt a password, there is no information of value on the accounts beyond the game data itself.”
“A number of years ago we took extra efforts to improve our encryption techniques, so that if a day came where any data did get out, it would be protected,” the company said. “We are currently reviewing all of the points of entry into our data to ensure that a similar attack won’t work elsewhere. We’re also trying to discern whether the leaked data is recent or of any value. If we feel that any player accounts are actually at risk we will take further steps to force password changes,” the company said.