Zynga Data Breach Analysis
Introduction
Zynga is an American social game developer. The company was founded in April 2007 with headquarters in San Francisco, California, United States. The company has a mission to “connect the world through video games”.
The company has developed multiple well-known games including Farmville, Zynga Poker, Words With Friends, Mafia Wars and Empires & Allies amongst others.
Zynga acknowledged the breach in September 2019 – in total, the data breach contains 206,267,210 records including duplicates and 150,363,954 records without duplicates.
What data is at risk?
The leaked data includes usernames, email addresses, dates of some sort (presumably registration and last visit dates), phone numbers and passwords hashed with the SHA-1 algorithm.
Email addresses
50 of the most frequently used email domains on Zynga can be seen below:
| # | Email Domain | Frequency |
|---|---|---|
| 1 | gmail.com | 57,066,237 |
| 2 | yahoo.com | 31,705,551 |
| 3 | hotmail.com | 19,621,241 |
| 4 | aol.com | 6,208,662 |
| 5 | zyngawf.com | 3,385,626 |
| 6 | comcast.net | 2,007,109 |
| 7 | hotmail.co.uk | 1,833,752 |
| 8 | icloud.com | 1,742,705 |
| 9 | live.com | 1,646,972 |
| 10 | msn.com | 1,229,160 |
| 11 | ymail.com | 1,033,850 |
| 12 | outlook.com | 996,471 |
| 13 | sbcglobal.net | 943,419 |
| 14 | me.com | 805,438 |
| 15 | att.net | 708,214 |
| 16 | verizon.net | 665,298 |
| 17 | aim.com | 648,613 |
| 18 | yahoo.co.uk | 620,792 |
| 19 | hotmail.fr | 547,208 |
| 20 | qq.com | 500,120 |
| 21 | cox.net | 471,127 |
| 22 | googlemail.com | 426,282 |
| 23 | rocketmail.com | 409,631 |
| 24 | bellsouth.net | 398,100 |
| 25 | live.co.uk | 343,250 |
| 26 | gmail.con | 327,016 |
| 27 | btinternet.com | 298,615 |
| 28 | bigpond.com | 279,067 |
| 29 | zynga.com | 264,152 |
| 30 | charter.net | 241,341 |
| 31 | yahoo.con | 220,323 |
| 32 | mail.com | 213,373 |
| 33 | web.de | 212,789 |
| 34 | mac.com | 204,985 |
| 35 | optonline.net | 199,181 |
| 36 | mail.ru | 188,894 |
| 37 | yahoo.com.au | 187,014 |
| 38 | live.com.au | 180,759 |
| 39 | hotmail.it | 169,146 |
| 40 | gmx.de | 162,993 |
| 41 | yahoo.ca | 162,234 |
| 42 | yahoo.fr | 162,115 |
| 43 | sky.com | 157,304 |
| 44 | Gmail.com | 147,545 |
| 45 | naver.com | 141,011 |
| 46 | live.fr | 125,987 |
| 47 | earthlink.net | 122,485 |
| 48 | 163.com | 118,299 |
| 49 | libero.it | 115,875 |
| 50 | orange.fr | 114,819 |
From the list above we can make assumptions about the locations of Zynga users:
| # | Domain Purpose / Country | User count |
| 1 | Commercial / United States | 129,250,910 |
| 2 | Network Infrastructure | 5,756,274 |
| 3 | Great Britain | 2,797,794 |
| 4 | France | 950,129 |
| 5 | Germany | 375,782 |
| 6 | Russia | 188,894 |
| 7 | Australia | 367,773 |
| 8 | Italy | 285,021 |
| 9 | Canada | 162,234 |
We can clearly see that the majority of Zynga’s user base is based in Western Europe. Judging from the country list Zynga had at least 133,821,870 users based in Western Europe – this number would consume about 64.88% of users if we compare it against records with duplicates and about 88.99% of users if we compare it against records without duplicates. Eastern Europe’s numbers are much smaller – in this case we can run analysis only on Russia – Russia would consume a mere 0.09% of the entire user base if compared with records including duplicates and 0.13% of the entire user base if compared with records without duplicates. Keep in mind that this number could be significantly higher if we would run the analysis on all email domains.
Zynga, counting on the database with duplicates included, had 115,318,761 users with the email length of equal or less than 20 characters and 98,540,978 users with the email length of more than 20 characters.
Zynga also stored passwords hashed and salted with the SHA1DASH algorithm, which, due to the design of the hash, is very difficult to crack.
Registration and last visit dates
Zynga also stored two types of dates – we can assume that they were dedicated for registration and last visit dates because all of the dates in the second field are at least a few days older than the first field.
Some of the registration dates can be seen below:
| # | Registration year | User count |
| 1 | 2008 | 8,899 |
| 2 | 2009 | 308,323 |
| 3 | 2010 | 8,049,512 |
| 4 | 2011 | 52,509,859 |
| 5 | 2012 | 45,864,542 |
| 6 | 2013 | 33,692,947 |
| 7 | 2014 | 19,797,958 |
| 8 | 2015 | 11,798,930 |
| 9 | 2016 | 11,919,813 |
| 10 | 2017 | 13,229,242 |
| 11 | 2018 | 9,906,177 |
| 12 | 2019 | 6,738,581 |
We can clearly see that Zynga started exploding in 2010 – 2011. Presumably because Zynga launched two notable games – FarmVille in 2009 and CityVille in December 2010. That would also explain how they acquired so many users in 2011.
We can also look at the months of registration:
| # | Year and month of registration | User count |
|---|---|---|
| 1 | January 2011 | 1,527,898 |
| 2 | February 2011 | 3,187,321 |
| 3 | March 2011 | 4,811,707 |
| 4 | April 2011 | 4,104,531 |
| 5 | May 2011 | 3,840,462 |
| 6 | June 2011 | 4,251,794 |
| 7 | July 2011 | 3,595,167 |
| 8 | August 2011 | 4,967,098 |
| 9 | September 2011 | 4,969,558 |
| 10 | October 2011 | 4,951,815 |
| 11 | November 2011 | 4,845,633 |
| 12 | December 2011 | 7,456,875 |
| 13 | January 2012 | 8,609,520 |
| 14 | February 2012 | 6,166,747 |
| 15 | March 2012 | 5,616,319 |
| 16 | April 2012 | 4,593,770 |
| 17 | May 2012 | 3,425,387 |
| 18 | June 2012 | 2,914,675 |
| 19 | May 2012 | 2,739,815 |
| 20 | August 2012 | 2,180,118 |
| 21 | September 2012 | 1,960,474 |
| 22 | October 2012 | 1,924,118 |
| 23 | November 2012 | 2,350,473 |
| 24 | December 2012 | 3,383,126 |
| 25 | January 2013 | 3,050,625 |
| 26 | February 2013 | 2,014,609 |
| 27 | March 2013 | 2,964,007 |
| 28 | April 2013 | 2,538,785 |
| 29 | May 2013 | 5,155,247 |
| 30 | June 2013 | 5,620,240 |
| 31 | July 2013 | 3,644,162 |
| 32 | August 2013 | 2,016,390 |
| 33 | September 2013 | 1,595,458 |
| 34 | October 2013 | 1,674,013 |
| 35 | November 2013 | 1,491,949 |
| 36 | December 2013 | 1,927,462 |
| 37 | January 2014 | 2,266,956 |
| 38 | February 2014 | 2,495,039 |
| 39 | March 2014 | 1,526,042 |
| 40 | April 2014 | 1,367,953 |
| 41 | May 2014 | 1,393,584 |
| 42 | October 2014 | 1,736,345 |
| 43 | November 2014 | 2,645,285 |
| 44 | December 2014 | 1,961,001 |
| 45 | January 2015 | 1,649,743 |
| 46 | January 2016 | 1,690,730 |
| 47 | May 2017 | 1,755,937 |
| 48 | November 2017 | 1,841,061 |
| 49 | December 2017 | 1,332,390 |
| 50 | January 2018 | 1,319,939 |
Now we can take a glance at the last visit dates. First, lets break them down by year:
| # | Year | User count |
| 1 | 2013 | 58,687,929 |
| 2 | 2014 | 68,633,963 |
| 3 | 2015 | 14,879,156 |
| 4 | 2016 | 11,867,841 |
| 5 | 2017 | 22,641,704 |
| 6 | 2018 | 16,827,914 |
| 7 | 2019 | 20,286,276 |
We can clearly see that the vast majority of users last visit dates were in 2014 – Zynga’s first quarter results for 2014 showed that daily active user numbers fell from 53 million to 28 million year-over-year, so we can make an assumption that this was a pretty devastating year for Zynga.
Now we can also take a look at the last visit dates including months:
| # | Year and month | User count |
|---|---|---|
| 1 | December 2013 | 58,631,283 |
| 2 | January 2014 | 1,233,821 |
| 3 | February 2014 | 1,910,625 |
| 4 | March 2014 | 12,286,336 |
| 5 | May 2014 | 1,286,521 |
| 6 | June 2014 | 31,170,789 |
| 7 | July 2014 | 1,102,223 |
| 8 | August 2014 | 6,064,564 |
| 9 | September 2014 | 2,637,421 |
| 10 | October 2014 | 2,982,078 |
| 11 | November 2014 | 4,074,683 |
| 12 | December 2014 | 2,882,402 |
| 13 | January 2015 | 2,343,310 |
| 14 | February 2015 | 1,519,108 |
| 15 | March 2015 | 1,158,878 |
| 16 | October 2015 | 1,246,491 |
| 17 | November 2015 | 1,212,826 |
| 18 | December 2015 | 1,508,320 |
| 19 | January 2016 | 1,955,831 |
| 20 | February 2016 | 1,447,082 |
| 21 | March 2016 | 1,148,311 |
| 22 | April 2016 | 1,146,150 |
| 23 | May 2016 | 1,227,472 |
| 24 | February 2017 | 2,808,792 |
| 25 | March 2017 | 2,224,243 |
| 26 | April 2017 | 1,705,594 |
| 27 | May 2017 | 2,191,226 |
| 28 | June 2017 | 3,090,247 |
| 29 | July 2017 | 1,960,363 |
| 30 | August 2017 | 1,284,560 |
| 31 | October 2017 | 1,740,587 |
| 32 | November 2017 | 2,426,871 |
| 33 | December 2017 | 1,729,112 |
| 34 | June 2018 | 1,743,764 |
| 35 | February 2018 | 1,183,800 |
| 36 | March 2018 | 1,132,668 |
| 37 | May 2018 | 1,394,505 |
| 38 | June 2018 | 1,634,963 |
| 39 | July 2018 | 1,455,900 |
| 40 | August 2018 | 1,379,390 |
| 41 | September 2018 | 1,409,367 |
| 42 | October 2018 | 1,608,628 |
| 43 | November 2018 | 1,441,809 |
| 44 | December 2018 | 1,489,667 |
| 45 | January 2019 | 1,678,076 |
| 46 | February 2019 | 1,479,820 |
| 47 | March 2019 | 1,850,556 |
| 48 | April 2019 | 1,720,382 |
| 49 | July 2019 | 3,792,126 |
| 50 | August 2019 | 6,817,538 |
Phone numbers
Alongside email addresses, registration and last visit dates, Zynga also stored phone numbers allowing us to glance at the country calling codes to make further assumptions where Zynga users were based:
| # | Country calling code | User count | Country |
|---|---|---|---|
| 1 | 3 | 164,903,318 | Unknown |
| 2 | 33 | 101,870,140 | France |
| 3 | 333 | 35,302,909 | France |
| 4 | 334 | 54,502,673 | United States (Alabama) |
| 5 | 335 | 1,937,399 | United States (Alabama) |
| 6 | 336 | 3,791,932 | United States (North Carolina) |
| 7 | 337 | 2,815,516 | United States (Louisiana) |
| 8 | 338 | 1,980,136 | United States (Kansas) |
| 9 | 339 | 1,539,575 | United States (Massachusetts) |
| 10 | 34 | 9,679,368 | Spain |
| 11 | 340 | 1,096,303 | United States (Virgin Islands) |
| 12 | 343 | 1,644,088 | Canada |
| 13 | 344 | 1,545,168 | United States (Maryland) |
| 14 | 35 | 1,232,958 | Unknown |
| 15 | 36 | 26,450,768 | Hungary |
| 16 | 360 | 1,225,829 | United States (Washington) |
| 17 | 361 | 1,286,462 | United States (Texas) |
| 18 | 362 | 1,916,541 | United States (Kansas) |
| 19 | 363 | 4,450,702 | United States (Missouri) |
| 20 | 364 | 5,034,853 | United States (Kentucky) |
| 21 | 365 | 3,738,655 | Canada |
| 22 | 366 | 2,105,035 | United States (North Carolina) |
| 23 | 367 | 1,726,155 | Canada |
| 24 | 368 | 1,838,625 | United States (Louisiana) |
| 25 | 369 | 3,127,911 | United States (California) |
| 26 | 37 | 12,907,096 | Discontinued, once was assigned to East Germany |
| 27 | 370 | 2,669,477 | Lithuania |
| 28 | 371 | 2,535,843 | Latvia |
| 29 | 372 | 1,402,870 | Estonia |
| 30 | 373 | 1,186,081 | Moldova |
| 31 | 38 | 10,729,895 | Ukraine |
| 32 | 382 | 1,441,145 | Montenegro |
| 33 | 383 | 2,060,581 | Kosovo |
| 34 | 384 | 1,806,749 | United States (Kansas) |
| 35 | 39 | 2,033,093 | Italy |
| 36 | 7 | 48,921,308 | Russia |
| 37 | 70 | 3,084,166 | United Kingdom |
| 38 | 71 | 8,316,024 | Botswana |
| 39 | 716 | 1,030,008 | United States (New York) |
| 40 | 717 | 1,255,644 | United States (Pennsylvania) |
| 41 | 718 | 1,358,479 | United States (New York, excluding Manhattan) |
| 42 | 719 | 1,313,189 | United States (Colorado) |
| 43 | 72 | 14,019,502 | Serbia |
| 44 | 720 | 1,459,595 | United States (Colorado) |
| 45 | 721 | 1,323,153 | United States (Saint Martin) |
| 46 | 724 | 1,356,205 | United States (Pennsylvania) |
| 47 | 725 | 1,357,354 | United States (Nevada) |
| 48 | 726 | 1,191,305 | United States (Texas) |
| 49 | 727 | 1,611,795 | United States (Florida) |
| 50 | 728 | 2,053,585 | United States (Virginia) |
| 51 | 729 | 1,777,324 | United States (Colorado) |
| 52 | 73 | 10,745,346 | Kazakhstan |
| 53 | 730 | 1,698,551 | United States (Illinois) |
| 54 | 731 | 1,291,637 | United States (Tennessee) |
| 55 | 732 | 1,681,681 | United States (New Jersey) |
| 56 | 733 | 2,054,451 | United States (Illinois) |
| 57 | 734 | 1,495,079 | United States (Michigan) |
| 58 | 74 | 10,492,013 | United Kingdom |
| 59 | 740 | 1,013,513 | United States (Ohio) |
| 50 | 743 | 1,193,652 | United States (North Carolina) |
| 61 | 744 | 1,000,773 | United States (Massachusetts) |
| 62 | 745 | 1,151,327 | United States (Florida) |
| 63 | 746 | 1,422,644 | United States (New York) |
| 64 | 748 | 1,316,537 | United States (New York) |
| 65 | 75 | 1,564,523 | Afghanistan |
| 66 | 76 | 699,734 | Norway |
We can see that the most prevalent area code was “3” – it had over 164 million records, so the best guess here would be that this area code was assigned to another area too. We can also clearly see that there was a lot of numbers that were based in different states across the United States, so let’s dive into them too:
| # | State | User count |
| 1 | Alabama | 56,440,072 |
| 2 | North Carolina | 7,090,619 |
| 3 | Kansas | 5,703,426 |
| 4 | New York | 5,127,668 |
| 5 | Kentucky | 5,034,853 |
| 6 | Louisiana | 4,654,141 |
| 7 | Colorado | 4,550,108 |
| 8 | Missouri | 4,450,702 |
| 9 | Illinois | 3,753,002 |
| 10 | California | 3,127,911 |
| 11 | Florida | 2,763,122 |
| 12 | Pennsylvania | 2,611,849 |
| 13 | Massachusetts | 2,540,348 |
| 14 | Texas | 2,477,767 |
| 15 | Virginia | 2,053,585 |
| 16 | New Jersey | 1,681,681 |
| 17 | Maryland | 1,545,168 |
| 18 | Michigan | 1,495,079 |
| 29 | Nevada | 1,357,354 |
| 20 | Tennesee | 1,291,637 |
| 21 | Washington | 1,225,829 |
| 22 | Virgin Islands | 1,096,303 |
| 23 | Ohio | 1,013,513 |
Judging from the analysis above, we can tell that over a quarter – 27.36% – of the entire user base were apparently from Alabama if we compare the number against a database with duplicates. If we compare the number against the database without duplicates, we would see that users from Alabama consume an enormously huge percentage – 37.54% – of the whole user base: that’s more than some of the states combined.
Now we can also take a look at the rest of the area codes – this time, excluding the United States. Do note that the “Unknown” in the column represents an unusually high amount of users – it’s probably a mix between some countries.
| # | Country | User count |
| 1 | Unknown | 166,136,276 |
| 2 | France | 137,173,049 |
| 3 | Spain | 9,679,368 |
| 4 | Canada | 7,108,898 |
| 5 | Hungary | 26,450,768 |
| 6 | Discontinued, once was assigned to East Germany | 12,907,096 |
| 7 | Lithuania | 2,669,477 |
| 8 | Latvia | 2,535,843 |
| 9 | Estonia | 1,402,870 |
| 10 | Moldova | 1,186,081 |
| 11 | Ukraine | 10,729,895 |
| 12 | Montenegro | 1,441,145 |
| 13 | Kosovo | 2,060,581 |
| 14 | Italy | 2,033,093 |
| 15 | Russia | 48,921,308 |
| 16 | Botswana | 8,316,024 |
| 17 | Serbia | 14,019,502 |
| 18 | Kazakhstan | 10,745,346 |
| 19 | United Kingdom | 13,576,179 |
| 20 | Afghanistan | 1,564,523 |
| 21 | Norway | 699,734 |
We can see that the vast majority of Zynga’s users came either from the United States or the Western part of Europe.
Summary
Judging by the entire analysis above, we can draw an assumption that monthly active users of Zynga combined (from the beginning until the time of the breach) were nearing a few billion mark which is very impressive given that the service had its peak sometime in between 2011 and 2013.
Although this data breach, with duplicates included, impacted over 200 million users, Zynga’s team had done a very good job protecting the data by hashing the passwords with SHA1 and salts. As already mentioned above, due to its design, this hash is resilient to cracking, so further damage was avoided.