Zynga Data Breach Analysis

Introduction

Zynga is an American social game developer. The company was founded in April 2007 with headquarters in San Francisco, California, United States. The company has a mission to “connect the world through video games.”

The company has developed multiple well-known games including Farmville, Zynga Poker, Words With Friends, Mafia Wars and Empires & Allies amongst others.

Zynga acknowledged the breach in September 2019 — in total, the data breach contains 206,267,210 records including duplicates and 150,363,954 records without duplicates.

What data is at risk?

The leaked data includes usernames, email addresses, dates of some sort (presumably registration and last visit dates), phone numbers and passwords hashed with the SHA-1 algorithm.

Email addresses

10 of the most frequently used email domains on Zynga can be seen below:

Top 10 Email Domains From the Zynga Data Breach

From the list above we can make assumptions about the locations of Zynga users:

Assumed Locations of Users In the Zynga Data Breach

We can clearly see that the majority of Zynga’s user base is based in Western Europe. Judging from the country list Zynga had at least 133,821,870 users based in Western Europe — this number would consume about 64.88% of users if we compare it against records with duplicates and about 88.99% of users if we compare it against records without duplicates. Eastern Europe’s numbers are much smaller — in this case we can run analysis only on Russia — Russia would consume a mere 0.09% of the entire user base if compared with records including duplicates and 0.13% of the entire user base if compared with records without duplicates. Keep in mind that this number could be significantly higher if we would run the analysis on all email domains.

Zynga, counting on the database with duplicates included, had 115,318,761 users with the email length of equal or less than 20 characters and 98,540,978 users with the email length of more than 20 characters.

Zynga also stored passwords hashed and salted with the SHA1DASH algorithm, which, due to the design of the hash, is very difficult to crack.

Registration and last visit dates

Zynga also stored two types of dates — we can assume that they were dedicated for registration and last visit dates because all of the dates in the second field are at least a few days older than the first field.

The Registration Years of Zynga Users

We can clearly see that Zynga started exploding in 2010–2011. Presumably because Zynga launched two notable games — FarmVille in 2009 and CityVille in December 2010. That would also explain how they acquired so many users in 2011.

We can also look at the months of registration:

The months of registration for Zynga Users

Now we can take a glance at the last visit dates. First, lets break them down by year:

We can clearly see that the vast majority of users last visit dates were in 2014 — Zynga’s first quarter results for 2014 showed that daily active user numbers fell from 53 million to 28 million year-over-year, so we can make an assumption that this was a pretty devastating year for Zynga.

Now we can also take a look at the last visit dates including months:

Last Visit Dates — Months

Phone numbers

Alongside email addresses, registration and last visit dates, Zynga also stored phone numbers allowing us to glance at the area codes to make further assumptions where Zynga users were based:

Top 10 Area Codes

We can see that the most prevalent area code was “3” — it had over 164 million records, so the best guess here would be that this area code was assigned to another area too. We can also clearly see that there was a lot of numbers that were based in different states across the United States, so let’s dive into them too:

Users by States in the US

Judging from the analysis above, we can tell that over a quarter — 27.36% — of the entire user base were apparently from Alabama if we compare the number against a database with duplicates. If we compare the number against the database without duplicates, we would see that users from Alabama consume an enormously huge percentage — 37.54% — of the whole user base: that’s more than some of the states combined.

Now we can also take a look at the rest of the area codes — this time, excluding the United States. Do note that the “Unknown” in the column represents an unusually high amount of users — it’s probably a mix between some countries.

Area Codes by Country

We can see that the vast majority of Zynga’s users came either from the United States or the Western part of Europe.

Summary

Judging by the entire analysis above, we can draw an assumption that monthly active users of Zynga combined (from the beginning until the time of the breach) were nearing a few billion mark which is very impressive given that the service had its peak sometime in between 2011 and 2013.

Although this data breach, with duplicates included, impacted over 200 million users, Zynga’s team had done a very good job protecting the data by hashing the passwords with SHA1 and salts. As already mentioned above, due to its design, this hash is resilient to cracking, so further damage was avoided.