WildWorks has learned that a database containing some Animal Jam user data was stolen in connection with a recent attack on the server of a vendor WildWorks uses for intra-company communication. A subset of the stolen records include the email addresses of the parents managing the player accounts and other data that could be used to identify the parents of Animal Jam players.
What information was taken?
The database circulated by the hackers consists of approximately 46M Animal Jam account records. The information in these records includes the following:
- Email addresses used to create approximately 7 million Animal Jam and Animal Jam Classic parent accounts
- Approximately 32 million player usernames associated with these parent accounts
- Passwords associated with those user accounts, but in encrypted form
- 14.8M records include the birth year the player entered at account creation
- 23.9M records include the gender the player entered at account creation
- 5.7M accounts include the full birthday the player entered at account registration
- 12,653 of the parent accounts include a parent’s full name and billing address (but no other billing info)
- 16,131 of the parent accounts include a parent’s first and last name, without a billing address
We’ll update this FAQ with any new information on the data stolen as our investigation progresses.
We believe the information stolen was confined to the items listed above. No real names of children were part of this breach. Billing name and billing address were included in 0.02% of the stolen records; otherwise no billing information was stolen, nor information that could potentially identify parents of players. All Animal Jam usernames are human moderated to ensure they do not include a child’s real name or other personally identifying information.
When did this happen?
We believe our vendor’s server was compromised some time between October 10-12, 2020. It was not apparent at the time that a database of account names was accessed as a result of the break-in, and all relevant systems were altered and secured against further intrusion. The database theft most likely occurred in the same October 10-12, 2020 time window.
WildWorks learned of the database theft today, November 11, 2020, when security researchers monitoring a public hacker forum saw the data posted there and alerted us.
Where was this information circulated?
Security researchers discovered this information was uploaded to raidforums.com, a well-known online forum for cyber-criminals. At this time we have not seen it circulated anywhere else, but we are continuing to investigate.
The database compromised in this breach includes a subset of accounts created in Animal Jam and Animal Jam Classic over the past 10 years. Independent security researcher Troy Hunt maintains a website that tracks thefts of user data to provide the public with the ability to determine if their data has been compromised by these crimes. Visit https://haveibeenpwned.com and search for your email address there. The website will show you any data breaches known to security researchers that included your email address.
How did this happen?
Our investigation is ongoing, but it appears that a hacker was able to penetrate the server of a third-party vendor WildWorks uses for intra-company communication. There they obtained a key that enabled them to access this database. No other user data appears to have been accessed, and all user databases have now been secured against similar attacks.
Is my Animal Jam account safe?
The passwords released in this breach were encrypted and unreadable by normal means. However, if your account was secured with a weak password to begin with (for example, a very short password, or one using dictionary words), it would be possible for knowledgable hackers to break the encryption and expose your password as plain text.
As a precaution, we are forcing ALL players to change their passwords immediately to ensure the security of their accounts. We urge Jammers to choose a new password that is at least 8 characters long and incorporates a random combination of capital letters, numbers, and lowercase letters, but does NOT incorporate any actual words or names.
Have the hackers been caught?
WildWorks is sharing all of our information about this data breach with the FBI and international enforcement agencies. We will work closely with law enforcement to identify and prosecute the perpetrators of this attack.
What should I do to protect myself?
- Search for any email address you’ve used in the past several years at the https://haveibeenpwned.com website to see if it was among those in the compromised database.
- If your email address WAS included in the breach, as a precaution you should change your email account password immediately — especially if it’s a password you also use for other online accounts.
- Never share your Animal Jam password with anyone, for any reason. Not even your best friend. Never enter your username or password into websites promising free Sapphires or Pack memberships. These sites exist solely to steal your login credentials.
- If you believe your Animal Jam account was accessed illegally, contact the security team via email at firstname.lastname@example.org or click here. They will investigate and secure your account.