Even your mobile phone games are susceptible to hackers. A hacker has stolen user account information and alleged product source code from FunPlus, the company that makes highly popular free-to-play mobile game Family Farm Seaside.
"I decided I'm just gonna publish everything and let their investors see what a joke their security and shit is," the hacker allegedly behind the breach told Motherboard.
In Family Farm, players maintain and level up their the own farm, grow crops, and care for animals. The game is based on a free-to-play model, which means that the game itself is free to download, but users can pay real cash for additional in-game items. According to the FunPlus website, over 4 million people play Family Farm everyday.
The customer information includes email addresses, game progression information, and usernames. In one section of the files that appear to relate to Family Farm Seaside, Motherboard found over 3.3 million email addresses in the data dump (although not every user record came with an accompanying email address).
The data does not appear to include passwords, as some player authentication may be carried out when a player links their user account to their Facebook profile.
The hacker provided Motherboard with several sets of data for verification purposes, which appear to date from mid-January judging by the file's timestamps.
One person in the dump, reached by Motherboard via their email address, confirmed that they did play Family Farm Seaside. The player also confirmed that their farm's level would have been accurate around the time of the dump. Motherboard also found some of the email addresses were also linked to accounts on the FunPlus forums.
The hacker also claimed to have around 16GB of product source code stolen from FunPlus.
In a statement to Motherboard, FunPlus Chief Strategy Officer Dan Fiden claimed the hacker had attempted to extort the company. (The hacker denied* this.)
"In January of this year we became aware that an unauthorized person had criminally accessed systems related to one of our games, Family Farm Seaside, and attempted hold those systems for ransom. We immediately worked with our internal team and external security experts to assess the extent of this criminal access and to address the issues that led to the breach," Fiden wrote.
"We concluded that the unauthorized individual had access to Family Farm Seaside game data, including user email addresses. No game other than Family Farm Seaside was impacted, and no payment or personally identifying information other than email addresses was accessed. Nonetheless, we recommend to all of our users they modify passwords associated with accounts using the same email used for Family Farm Seaside," he added.
The lesson: Free-to-play games always come with a price. Whether that's with extra microtransactions, or through the collection of your personal data, the game developers are almost always looking to profit somehow, obviously. If you are concerned with losing personal data in a similar sort of hack, maybe sign up to services with a second email address, and certainly a password that is not the same as one used on other accounts.
*This piece has been updated to add that the hacker denies attempting to blackmail FunPlus.