DATA BREACH ALERT

WildWorks has learned that a database containing some Animal Jam user data was stolen in connection with a recent attack on the server of a vendor WildWorks uses for intra-company communication. A subset of the stolen records include the email addresses of the parents managing the player accounts and other data that could be used to identify the parents of Animal Jam players.

What information was taken?

The database circulated by the hackers consists of approximately 46M Animal Jam account records. The information in these records includes the following:

  • Email addresses used to create approximately 7 million Animal Jam and Animal Jam Classic parent accounts
  • Approximately 32 million player usernames associated with these parent accounts
  • Passwords associated with those user accounts, but in encrypted form
  • 14.8M records include the birth year the player entered at account creation
  • 23.9M records include the gender the player entered at account creation
  • 5.7M accounts include the full birthday the player entered at account registration
  • 12,653 of the parent accounts include a parent’s full name and billing address (but no other billing info)
  • 16,131 of the parent accounts include a parent’s first and last name, without a billing address

We’ll update this FAQ with any new information on the data stolen as our investigation progresses.

We believe the information stolen was confined to the items listed above. No real names of children were part of this breach. All Animal Jam usernames are human moderated to ensure they do not include a child’s real name or other personally identifying information.

What billing information was exposed?

Approximately 0.02% of the records exposed in this breach included partial or full billing addresses associated with Animal Jam parent accounts. Unfortunately, the haveibeenpwned.com site cannot tell you if your billing address was among those exposed, as it only notes in general the types of information that the database contained, and whether your specific email address was included.

However, we can provide some additional guidance to help you determine if your billing address and/or real name may have been exposed. The only records in the stolen database that may have included a billing name or address are those associated with accounts that made a recent payment to Animal Jam via PayPal. If you haven’t made a payment to Animal Jam, or if you made it through means other than PayPal, your billing address was not in these records. Your email address may yet have been one of those exposed in the breach, but without this additional information.

If you have made a recent payment to Animal Jam through PayPal, you may also be concerned about the security of your PayPal account and banking information. Fortunately we can be certain that none of this information was compromised in this theft, because at no time does WildWorks ever possess or store data that could be used to initiate fraudulent payments. Payment details, credit card numbers, and other sensitive financial information are sent directly and securely to the banks or payment processors that execute transactions for Animal Jam, and do not pass through our servers at all.

When did this happen?

We believe our vendor’s server was compromised some time between October 10-12, 2020. It was not apparent at the time that a database of account names was accessed as a result of the break-in, and all relevant systems were altered and secured against further intrusion. The database theft most likely occurred in the same October 10-12, 2020 time window.

WildWorks learned of the database theft today, November 11, 2020, when security researchers monitoring a public hacker forum saw the data posted there and alerted us.

Where was this information circulated?

Security researchers discovered this information was uploaded to raidforums.com, a well-known online forum for cyber-criminals. At this time we have not seen it circulated anywhere else, but we are continuing to investigate.

The database compromised in this breach includes a subset of accounts created in Animal Jam and Animal Jam Classic over the past 10 years. Independent security researcher Troy Hunt maintains a website that tracks thefts of user data to provide the public with the ability to determine if their data has been compromised by these crimes. Visit https://haveibeenpwned.com and search for your email address there. The website will show you any data breaches known to security researchers that included your email address.

How did this happen?

Our investigation is ongoing, but it appears that a hacker was able to penetrate the server of a third-party vendor WildWorks uses for intra-company communication. There they obtained a key that enabled them to access this database. No other user data appears to have been accessed, and all user databases have now been secured against similar attacks.

Is my Animal Jam account safe?

The passwords released in this breach were encrypted and unreadable by normal means. However, if your account was secured with a weak password to begin with (for example, a very short password, or one using dictionary words), it would be possible for knowledgable hackers to break the encryption and expose your password as plain text.

As a precaution, we are forcing ALL players to change their passwords immediately to ensure the security of their accounts. We urge Jammers to choose a new password that is at least 8 characters long and incorporates a random combination of capital letters, numbers, and lowercase letters, but does NOT incorporate any actual words or names.

Have the hackers been caught?

WildWorks is sharing all of our information about this data breach with the FBI and international enforcement agencies. We will work closely with law enforcement to identify and prosecute the perpetrators of this attack.

What should I do to protect myself?

  1. Search for any email address you’ve used in the past several years at the https://haveibeenpwned.com website to see if it was among those in the compromised database.
  2. If your email address WAS included in the breach, as a precaution you should change your email account password immediately — especially if it’s a password you also use for other online accounts.
  3. Never share your Animal Jam password with anyone, for any reason. Not even your best friend. Never enter your username or password into websites promising free Sapphires or Pack memberships. These sites exist solely to steal your login credentials.
  4. If you believe your Animal Jam account was accessed illegally, contact the security team via email at support@animaljam.com or click here. They will investigate and secure your account.