A hacker has leaked today the usernames and passwords of nearly 23 million players of Webkinz World, an online children’s game managed by Canadian toy company Ganz.
The Webkinz game launched in 2005 as the online counterpart of a line of Ganz plush toys. Users could enter a code from their plush toy on the Webkinz website where they could play and manage a version of their toy in the form of a virtual pet.
The game has been one of the most successful online children’s games of the past decade next to Disney’s Club Penguin.
However, today, an anonymous hacker has posted a part of the game’s database on a well-known hacking forum. ZDNet has obtained a copy of the leaked file with the help of data breach monitoring service Under the Breach.
The 1 GB file uploaded online contained 22,982,319 pairs of usernames and passwords, with the passwords being encrypted with the MD5-Crypt algorithm.
Sources familiar with the hack have told ZDNet that the security breach took place earlier this month.
The hacker allegedly gained access to the game’s database using an SQL injection vulnerability present in one of the website’s web forms.
ZDNet has learned that details about the vulnerability have been circulating online before today’s leak for months, both on hacking forums and on online IM chat groups.
We’ve been told that besides username and password pairs, hackers were also successful in obtaining hashed versions of parents’ email addresses; however, this data has not been leaked.
Sources told us that Webkinz staff had detected the intrusion and patched the hacker’s point of entry into their systems.
ZDNet has contacted Ganz for comment and to notify the company of the leaked data, but we have not heard back before this article’s publication.
In a support page on its website, Webkinz says it archives accounts that have been inactive for more than 18 months.
“For security purposes, during the archiving process, we remove all information associated to the account other than then User Name and Password,” the company said. “Please note that if an account remains inactive for a period of 7 years, Ganz will then delete that account.”
At the time of writing, it is unclear if hackers have stolen these “archived” accounts, or if the leaked data belongs to currently active users.