As cybercriminals find new ways to infiltrate an organization’s private data stores, we are seeing an increasing number of breaches being reported in the news. When a breach has the potential to affect organizations, it must be ensured that the facts are communicated to the teams through the release of an emailed Security Brief. If the breach is critical, organizations must opt to send a Security Alert that will come in the form of an email as well as an SMS.
Two recent breaches have been announced by Zynga Inc. and DoorDash.
Zynga Breach: What Happened?
On September 12, 2019, Zynga Inc., an online interactive gaming company, announced they’d recently discovered that certain player account information may have been illegally accessed by outside hackers. Although Zynga has not yet addressed the scope, media reports indicate that the hacker claims to have breached the data of more than 200 million players of Zynga games, including Draw Something and Words with Friends accounts on both Android and iOS platforms.
Players who installed and signed up to play Words with Friends before September 3, 2019 may be affected. It has been reported that Words with Friends player data that has potentially been compromised includes:
- Email addresses
- Login IDs
- Hashed and salted passwords
- Phone numbers, where provided
- Password reset tokens if one had ever been requested
- Facebook IDs, if connected to the social media platform
- Zynga account IDs
Zynga has opened an investigation into the breach and has contacted law enforcement. A press release was sent out that states some of the details as well as the steps the company is taking to protect these users’ accounts from invalid logins.
On September 26, 2019, DoorDash, the food delivery company, confirmed an unauthorized third-party service gained access to user data on May 4, 2019.
Consumers, delivery drivers, and merchants who joined the DoorDash platform on or before April 5, 2018, are affected in this breach. The type of information potentially compromised could include:
Profile information including:
- Email address
- Delivery address
- Order history
- Phone numbers
- Hashed and salted passwords
For some consumers, the last 4 digits of consumer payment cards (the company stated this information was insufficient to make fraudulent charges). For some delivery drivers and merchants, the last 4 digits of bank account numbers (similarly, the company stated this information was insufficient to make fraudulent withdrawals). Approximately 100,000 delivery drivers also had their driver’s license numbers accessed.
In a statement on the DoorDash website, the company said it has taken appropriate measures to block the unauthorized third-party and further secure consumer’s data. It will notify those who have been affected directly
What should you do if you think you may have been affected?
- Change your Passwords. You will especially want to change any passwords you have that may be associated with the breached organizations.
- Set up Credit Monitoring and monitor for changes in your credit file. Added accounts you did not authorize. Collections for accounts you are unaware of. Etc. Credit Karma is a good freeware credit monitoring solution.
- If you believe you have been affected, you can opt to freeze your credit. You can put a freeze on your credit report and prevent unauthorized individuals from opening an account in your name. Certain credit cards such as Discover will also allow you to lock and unlock an account.
- Monitor your bank account and credit card activity.
- Always remain alert. Keep an eye open for scammers that may be trying to contact you.