Insights From The Zynga Breach
When corporate data breaches occur, how much blame should be placed on the companies themselves, and how much blame do we own for blindly trusting them?
When Zynga, a leading developer of social games, announced on September 12th of last year that “we have identified account login information for certain players of Draw Something and Words With Friends that may have been accessed,” the news probably didn’t worry too many people. Data breaches are a common occurrence nowadays, and video game apps tend not to elicit our worst privacy fears in the way that, say, finance and social media apps do. In the announcement, Zynga said little more about the nature or scale of the data that had been exposed. Instead, the focus was on the “unfortunate reality” of cyberattacks and how “immediately” the company initiated an “investigation” into the matter.
This story could certainly spark a robust discussion of corporate irresponsibility in cyberspace (not least because a lone hacker executed the entire breach). Frankly, though, there may not be enough room on the Internet to cover the extent of that issue.
Upon closer examination, however, there is a more interesting side to the Zynga story--and we don’t get to blame it on some faceless corporation. It’s about the role we play in our own loss of privacy: we, the customers of these businesses, the users of these online services.
Those Who Live in Glass Houses...
haveibeenpwned is a website that is famous for monitoring and tracking releases of leaked data from corporate hacks. With this service, anyone can look up whether his or her personal information has been exposed in a major public data breach.
Aside from the search function, haveibeenpwned has the unique capability to analyze and cross-reference leaked datasets to provide insights into the kinds of data we’ve been generating. The results, as they pertain to Zynga, are not promising, as evidenced by the above tweet with its figure of 69 percent.
If so much of the Zynga data already existed on haveibeenpwned, the reason must be that people habitually reuse the same authentication details for multiple online accounts. But we knew this long before the Zynga incident.
In February of last year, Google partnered with Harris Poll to conduct a modest survey of average Americans’ personal cybersecurity habits. With a sample of 3,000 individuals, the survey yielded some telling results: a full 65 percent of respondents admitted to reusing passwords, including 13 percent who used the same password for all of their accounts.
The problem isn’t just recycled passwords, though. Many of us are unaware of the tools that could help to solve our password woes. Only 55 percent of the Google/Harris Poll survey’s respondents knew about two-factor authentication (2FA) or password managers.
Additionally, many of us lack a basic awareness of our own vulnerability. 59 percent of the survey’s respondents believed that their online accounts were safer than the average person’s, and 69 percent graded their own cybersecurity methods with an ‘A’ or ‘B.’ If 69 percent of people are A- or B-level cyber citizens, and 65 percent reuse passwords, then we have one of two possibilities on our hands. Either the bar we’ve set for ourselves is way too low, or a lot of folks don’t know about the true risk of reusing passwords.
The Problem with Reused Passwords
In case there’s any misunderstanding, let’s go over why reused passwords are a problem in the first place.
Quite often, companies’ customer data are exposed to a hacker, and those data end up online somewhere. Hackers will then come for their share of the spoils, as they have all kinds of ways to leverage even such basic information as your email and password. The reason why they do this: they know we’re reusing this information. Any hacker with your Zynga login credentials can try them out on Facebook, Amazon, Capital One, or anywhere else. 65 percent of us reuse passwords, and most of us have Facebook and Amazon accounts, so it wouldn’t take long to get a hit.
This is the crucial point. It’s not really about whether your video game account is hijacked, because criminals likely can’t do much with your Farmville save file (other than help tend to your crops while you’re away figuring out how to reset your password). However, they can certainly do a lot more with Farmville login data that you also use with Wells Fargo or Google.
It’s also worth mentioning that we’ve used the term “hacker” thus far in this article, but at no point in this process would anyone need to “hack” anything. You, reading this now, can go online, and--if you know where to look--obtain someone’s authentication credentials for purposes of financial crimes or identity theft. I don’t recommend doing so, but you would probably be capable enough if you were so inclined.
Users can avoid many of these cybersecurity pitfalls by making sure to set a separate password for each account. But the statistics indicate the average US user may have 150 online accounts. So this is often avoided because it is difficult to create and remember unique passwords for many accounts.
Additional online authentication methods are also available for many types of accounts. Zynga may not offer two-factor authentication (2FA) for Words With Friends accounts, but PayPal certainly does for its accounts, and so does Amazon, as well as most other sites that are responsible for maintaining sensitive customer data. 2FA is an effective “patch” for the vulnerability of reused or leaked passwords, although some users find it inconvenient or unfriendly, and some breaches have resulted from attacks on 2FA methods. As a safeguard, some companies send their users an email notification when their account has been accessed. While this doesn’t prevent the unauthorized access, the notification helps users take prompt response action.
Password generators, which are included in many password managers, are another solution; these allow for easy (and sometimes free) management of many passwords, which can be as complicated or unique as the user desires. However, a password manager account must itself be locked with a single, good-enough, memorable-enough password. Likewise, while password managers go some way toward preventing individual accounts from being hijacked, they do nothing to prevent the leakage of passwords from a data breach like Zynga’s.
The company behind this article, Hopr, has developed another solution to combat password reuse. Its Password Hopping® technology uses a simple algorithm to ensure that a user’s passwords are never reused while eliminating the memorization of many unique passwords. For more information on how this works, visit gethopr.com.