Zynga Data Breach Analysis
Zynga is an American social game developer. The company was founded in April 2007 with headquarters in San Francisco, California, United States. The company has a mission to “connect the world through video games”.
The company has developed multiple well-known games including Farmville, Zynga Poker, Words With Friends, Mafia Wars and Empires & Allies amongst others.
Zynga acknowledged the breach in September 2019 – in total, the data breach contains 206,267,210 records including duplicates and 150,363,954 records without duplicates.
What data is at risk?
The leaked data includes usernames, email addresses, dates of some sort (presumably registration and last visit dates), phone numbers and passwords hashed with the SHA-1 algorithm.
50 of the most frequently used email domains on Zynga can be seen below:
From the list above we can make assumptions about the locations of Zynga users:
|#||Domain Purpose / Country||User count|
|1||Commercial / United States||129,250,910|
We can clearly see that the majority of Zynga’s user base is based in Western Europe. Judging from the country list Zynga had at least 133,821,870 users based in Western Europe – this number would consume about 64.88% of users if we compare it against records with duplicates and about 88.99% of users if we compare it against records without duplicates. Eastern Europe’s numbers are much smaller – in this case we can run analysis only on Russia – Russia would consume a mere 0.09% of the entire user base if compared with records including duplicates and 0.13% of the entire user base if compared with records without duplicates. Keep in mind that this number could be significantly higher if we would run the analysis on all email domains.
Zynga, counting on the database with duplicates included, had 115,318,761 users with the email length of equal or less than 20 characters and 98,540,978 users with the email length of more than 20 characters.
Zynga also stored passwords hashed and salted with the SHA1DASH algorithm, which, due to the design of the hash, is very difficult to crack.
Registration and last visit dates
Zynga also stored two types of dates – we can assume that they were dedicated for registration and last visit dates because all of the dates in the second field are at least a few days older than the first field.
Some of the registration dates can be seen below:
|#||Registration year||User count|
We can clearly see that Zynga started exploding in 2010 – 2011. Presumably because Zynga launched two notable games – FarmVille in 2009 and CityVille in December 2010. That would also explain how they acquired so many users in 2011.
We can also look at the months of registration:
|#||Year and month of registration||User count|
Now we can take a glance at the last visit dates. First, lets break them down by year:
We can clearly see that the vast majority of users last visit dates were in 2014 – Zynga’s first quarter results for 2014 showed that daily active user numbers fell from 53 million to 28 million year-over-year, so we can make an assumption that this was a pretty devastating year for Zynga.
Now we can also take a look at the last visit dates including months:
|#||Year and month||User count|
Alongside email addresses, registration and last visit dates, Zynga also stored phone numbers allowing us to glance at the country calling codes to make further assumptions where Zynga users were based:
|#||Country calling code||User count||Country|
|4||334||54,502,673||United States (Alabama)|
|5||335||1,937,399||United States (Alabama)|
|6||336||3,791,932||United States (North Carolina)|
|7||337||2,815,516||United States (Louisiana)|
|8||338||1,980,136||United States (Kansas)|
|9||339||1,539,575||United States (Massachusetts)|
|11||340||1,096,303||United States (Virgin Islands)|
|13||344||1,545,168||United States (Maryland)|
|16||360||1,225,829||United States (Washington)|
|17||361||1,286,462||United States (Texas)|
|18||362||1,916,541||United States (Kansas)|
|19||363||4,450,702||United States (Missouri)|
|20||364||5,034,853||United States (Kentucky)|
|22||366||2,105,035||United States (North Carolina)|
|24||368||1,838,625||United States (Louisiana)|
|25||369||3,127,911||United States (California)|
|26||37||12,907,096||Discontinued, once was assigned to East Germany|
|34||384||1,806,749||United States (Kansas)|
|39||716||1,030,008||United States (New York)|
|40||717||1,255,644||United States (Pennsylvania)|
|41||718||1,358,479||United States (New York, excluding Manhattan)|
|42||719||1,313,189||United States (Colorado)|
|44||720||1,459,595||United States (Colorado)|
|45||721||1,323,153||United States (Saint Martin)|
|46||724||1,356,205||United States (Pennsylvania)|
|47||725||1,357,354||United States (Nevada)|
|48||726||1,191,305||United States (Texas)|
|49||727||1,611,795||United States (Florida)|
|50||728||2,053,585||United States (Virginia)|
|51||729||1,777,324||United States (Colorado)|
|53||730||1,698,551||United States (Illinois)|
|54||731||1,291,637||United States (Tennessee)|
|55||732||1,681,681||United States (New Jersey)|
|56||733||2,054,451||United States (Illinois)|
|57||734||1,495,079||United States (Michigan)|
|59||740||1,013,513||United States (Ohio)|
|50||743||1,193,652||United States (North Carolina)|
|61||744||1,000,773||United States (Massachusetts)|
|62||745||1,151,327||United States (Florida)|
|63||746||1,422,644||United States (New York)|
|64||748||1,316,537||United States (New York)|
We can see that the most prevalent area code was “3” – it had over 164 million records, so the best guess here would be that this area code was assigned to another area too. We can also clearly see that there was a lot of numbers that were based in different states across the United States, so let’s dive into them too:
Judging from the analysis above, we can tell that over a quarter – 27.36% – of the entire user base were apparently from Alabama if we compare the number against a database with duplicates. If we compare the number against the database without duplicates, we would see that users from Alabama consume an enormously huge percentage – 37.54% – of the whole user base: that’s more than some of the states combined.
Now we can also take a look at the rest of the area codes – this time, excluding the United States. Do note that the “Unknown” in the column represents an unusually high amount of users – it’s probably a mix between some countries.
|6||Discontinued, once was assigned to East Germany||12,907,096|
We can see that the vast majority of Zynga’s users came either from the United States or the Western part of Europe.
Judging by the entire analysis above, we can draw an assumption that monthly active users of Zynga combined (from the beginning until the time of the breach) were nearing a few billion mark which is very impressive given that the service had its peak sometime in between 2011 and 2013.
Although this data breach, with duplicates included, impacted over 200 million users, Zynga’s team had done a very good job protecting the data by hashing the passwords with SHA1 and salts. As already mentioned above, due to its design, this hash is resilient to cracking, so further damage was avoided.