Game Developer Zynga Hit with Class Actions Over September 2019 Data Breach Affecting 170M Users

New to ClassAction.org? Read our Newswire Disclaimer

Zynga, Inc. has been hit with at least two proposed class actions over a September 2019 data breach that reportedly affected more than 170 million accounts.

According to the cases, the Words with Friends, FarmVille, and Zynga Poker developer had in place outdated security measures that were considered insecure “since before Zynga was even founded.” As a direct result of the defendant’s lax data security, those with Zynga accounts, including a significant number of minors, had their names, email addresses, Zynga and Facebook login details and, in some cases, financial information exposed to an unauthorized third party in September 2019, the suits say.

The complaints explain that on September 12, 2019, Zynga posted on its website a “Player Security Announcement” in which the company stated that “certain player information may have been illegally accessed by outside hackers.” According to the lawsuits, a “prolific hacker” that goes by the alias Gnosticplayers was able to access approximately 170 million accounts within Zynga’s user database in September 2019 due to an outdated encryption method, known as SHA-1 cryptography, that had been banned for use by federal government agencies since 2010.

Notwithstanding its website post, which one suit says offered no direction as far as resources for affected individuals to manage fraud or identity theft, Zynga “never directly notified” customers whose information may have been stolen, the cases say. One of the lawsuits points out that Zynga players have “no reason” to access the company’s website in order to play games and likely have not read the developer’s security notice. Both plaintiffs in the suit say they received notice of the data breach through third-party website haveibeenpwned.com.

“Zynga has not to date sent any email or other form of communication to its users informing them of the Zynga Data Breach,” one of the cases states, noting that the breach has had “severe ramifications” for users, including exposure to a higher risk of identity theft and fraud.

Moreover, the lawsuits point out that many of Zynga’s users—perhaps as much as eight percent—are minors. The cases argue that children’s personal information is “particularly attractive” to identity thieves, who may be able to use their data for “years or even decades” before the fraudulent activity is noticed.

The two lawsuits, both filed in California district court, seek to cover anyone whose personally identifiable information was accessed in the Zynga data breach that occurred in September 2019.

Want class action news sent to your inbox? Sign up for ClassAction.org’s newsletter here.