Kids' gaming website Animal Jam breached after miscreants spot private AWS key on pwned Slack channel Child-friendly games website Animal Jam suffered a hack that exposed 46 million user records after a staff Slack channel was compromised by malicious people who discovered a private AWS key. Animal Jam chief exec Clary Stacey confirmed the hack after Bleeping Computer spotted information from the compromised AWS server being …
“The passwords released in this breach were encrypted and unreadable by normal means. However, if your account was secured with a weak password to begin with (for example, a very short password, or one using dictionary words), it would be possible for knowledgable hackers to break the encryption and expose your password as plain text,”
Except that there are plenty of SHA-1 rainbow tables around, so even a "good" password could be compromised if it was in the tables used to drive tests against the data.
One would hope that they have a process to disable and then delete accounts that have not been used for a significant time, maybe a year. The trouble with loads of these sites that are targeted at kids is they use them for a bit and then stop. There is nothing wrong with this but it is easy to forget that there is a login lurking out there, particularly if there are no emails being sent.
I somehow think that it is wishful thinking to believe they zapped accounts that had not been used for 12 or 24 months. This reminded me that my daughter has/had a login for Animal Jam some years ago. I have no recollection of it ever being closed.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
