`
`
`
`
`JENNIE LEE ANDERSON (SBN 203586)
`jennie@andrusanderson.com
`ANDRUS ANDERSON LLP
`155 Montgomery Street, Suite 900
`San Francisco, CA 94104
`Telephone:
`(415) 986-1400
`Facsimile:
`(415) 986-1474
`
`ELIZABETH A. FEGAN (pro hac vice forthcoming)
`beth@feganscott.com
`FEGAN SCOTT LLC
`150 S. Wacker Dr., 24th Floor
`Telephone: (312) 741-1019
`Facsimile:
`(312) 264-0100
`Attorneys for Plaintiffs (Additional Counsel Listed on Signature Page)
`
`
`
`UNITED STATES DISTRICT COURT
`
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`
`
`JOSEPH MARTINEZ IV and DANIEL PETRO,
`individually and on behalf of all others similarly
`situated,
`
`
`Plaintiffs,
`
`
`
`
`ZYNGA INC.,
`
`
`
`v.
`
`Defendant.
`
`Case No. 3:20-cv-02612
`
`CLASS ACTION COMPLAINT
`
`DEMAND FOR JURY TRIAL
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`CLASS ACTION COMPLAINT
`
`Case No. 3:20-cv-02612
`
`
`
`Case 3:20-cv-02612-JSC Document 1 Filed 04/15/20 Page 2 of 41
`
`
`
`
`
`TABLE OF CONTENTS
`I. INTRODUCTION ............................................................................................................................. 1
`II.
`PARTIES ....................................................................................................................................... 2
`III.
`JURISDICTION AND VENUE .................................................................................................... 3
`IV.
`INTRADISTRICT ASSIGNMENT............................................................................................... 3
`V.
`FACTS ........................................................................................................................................... 4
`A. Zynga provides “free” games in exchange for its users’ PII. ................................................. 4
`B. Zynga collected PII from minors. ........................................................................................... 5
`C. With only non-existent or outdated encryption systems in place to protect customer PII, the
`PII of Plaintiffs and the Class were stolen from Zynga. ......................................................... 6
`D. Zynga has failed to adequately notify and protect its customers since learning of the data
`breach. ..................................................................................................................................... 9
`E. Data breaches, like Zynga’s, cause financial, emotional, and physical harm to the victims,
`including to Plaintiffs and the Class ..................................................................................... 11
`VI. CLASS ACTION ALLEGATIONS ............................................................................................ 13
`VII. CLAIMS ...................................................................................................................................... 16
`VIII. PRAYER FOR RELIEF ........................................................................................................... 37
`
`
`
`
`
`
`
`
`-i-
`
`CLASS ACTION COMPLAINT
`
`Case No. 3:20-cv-02612
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:20-cv-02612-JSC Document 1 Filed 04/15/20 Page 3 of 41
`
`
`
`
`Plaintiffs Joseph Martinez IV and Daniel Petro, individually and on behalf of all other persons
`similarly situated, by and through their attorneys, for their Complaint against Defendant Zynga, Inc.,
`allege as follows:
`
`I.
`
`INTRODUCTION
`
`1.
`Defendant Zynga Inc. (“Zynga”) proclaims it is “a leading developer of the world’s
`most popular social games that are played by millions of people around the world each day.” Zynga
`promises that it has in place “reasonable and appropriate security measures to help protect the security
`of your information both online and offline and to ensure that your data is treated securely….”
`2.
`In fact, hundreds of millions of people, including Plaintiffs, trusted and believed
`Zynga’s promise to protect their personally-identifying information, including name, email address,
`Zynga ID and password, Facebook ID and password and, in some instances, financial information
`given to Zynga for purchases for games and other in-game items (collectively, “PII”).1
`3.
`Yet despite its promise, Zynga failed to protect its customers’ PII by, among other
`things, using password encryption methods that were banned for use by federal governmental
`agencies as early as 2010.
`4.
`In September of 2019, Zynga’s customer data base was breached by a serial hacker who
`had previously stolen and sold PII on the dark web. By current estimates, over 170 million Zynga
`accounts were accessed (the “Zynga Data Breach”). Although Zynga had notice of the breach and
`identified which of its customer accounts were accessed, Zynga never directly notified those
`customers.
`5.
`Since the Zynga Data Breach, Zynga’s customers have been exposed to credit and
`identity theft, “credit stuffing,” phishing scams, and any other fraudulent conduct that a criminal mind
`can concoct. Plaintiffs have and will incur costs to mitigate the risk for the data breach, such as
`paying for credit monitoring services, and will have to spend countless hours monitoring their credit
`
`
`1 As used throughout this Complaint, “PII” is defined as all information exposed by the Zynga
`Data Breach that occurred on or around September 2019, including but not limited to all or any part or
`combination of name, address, telephone number, email address, gender, Zynga login and password,
`Facebook login and password, credit card information, and other personally identifying information.
`
`
`-1-
`
`CLASS ACTION COMPLAINT
`
`Case No. 3:20-cv-02612
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`Case 3:20-cv-02612-JSC Document 1 Filed 04/15/20 Page 4 of 41
`
`
`
`
`reports and credit card statements. Regardless of whether they have yet to incur out-of-pocket losses,
`Plaintiffs and all Zynga customers whose PII was stolen remain subject to a pervasive, substantial,
`and imminent risk of identity theft and fraud now and for years to come.
`6.
`This class action is brought on behalf of all persons residing in the United States whose
`PII was compromised in the Zynga Data Breach to redress the damages they have suffered and to
`obtain appropriate equitable relief to mitigate the risk that Zynga will be breached in the future.
`II. PARTIES
`
`7.
`Plaintiff Joseph Martinez IV is a resident and citizen of the State of Colorado and at all
`relevant times resided in Castle Rock, Colorado. In or about 2011, Mr. Martinez provided his PII to
`Zynga in order to create an account to access and play Zynga games, and in doing so, provided his PII
`to Zynga. Mr. Martinez played Words with Friends, Words with Friends 2, Solitaire, Draw
`Something, and Zynga Poker, and made in-game purchases in Words with Friends, and perhaps
`others.
`8. Mr. Martinez’s PII was stolen in the Zynga Data Breach. Mr. Martinez did not receive
`any notice from Zynga regarding the Zynga Data Breach, and only learned about it recently. Mr.
`Martinez confirmed through the website haveibeenpawned.com that his email was accessed in the
`Zynga Data Breach.
`9.
`Plaintiff Joseph Martinez IV provided his PII to Zynga with the expectation and
`understanding that Zynga would adequately protect and store the data. If he had known that Zynga’s
`data security measures and protections were insufficient to protect his PII, he would not have created
`a Zynga user account and downloaded and played Zynga games, and would not have made in-game
`purchases. As a result, Plaintiff has been damaged.
`10. Plaintiff Daniel Pietro is a resident and citizen of the State of Iowa and at all relevant
`times resided in Des Moines, Iowa. In or about 2007, Plaintiff provided PII to Zynga in order to create
`an account to access and play Zynga games. Mr. Petro played the Zynga games FarmVille, Words
`with Friends, Zynga Poker, and Mafia Wars, and made in-game purchases in Mafia Wars and
`FarmVille.
`
`
`
`
`
`-2-
`
`CLASS ACTION COMPLAINT
`
`Case No. 3:20-cv-02612
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:20-cv-02612-JSC Document 1 Filed 04/15/20 Page 5 of 41
`
`
`
`
`
`11. Mr. Petro’s PII was stolen in the Zynga Data Breach. Mr. Petro did not receive any
`notice from Zynga regarding the Zynga Data Breach, and only learned about it recently. Mr. Petro
`confirmed through the website haveibeenpawned.com that his email was accessed in the Zynga Data
`Breach.
`12. Plaintiff Daniel Petro provided his PII to Zynga with the expectation and understanding
`that Zynga would adequately protect and store the data. If he had known that Zynga’s data security
`measures and protections were insufficient to protect his PII, he would not have created a Zynga user
`account and downloaded and played Zynga games, and would not have made in-game purchases. As
`a result, Mr. Petro has been damaged.
`13. Defendant Zynga Inc. is a Delaware corporation with its headquarters and principle
`place of business in San Francisco, California.
`III.
`JURISDICTION AND VENUE
`14. This Court has subject matter jurisdiction pursuant to the Class Action Fairness Act of
`2005, 28 U.S.C. § 1332(d). The amount in controversy exceeds the sum of $5,000,000 exclusive of
`interest and costs, there are more than 100 putative Class members, and Zynga is a citizen of a state
`different from that of at least one Class member.
`15. This Court has personal jurisdiction over Zynga because Zynga is headquartered in this
`state and regularly transacts business in this state.
`16. Venue is proper in this District under 28 U.S.C. § 1391(b)(2) because a substantial part
`of the events or omissions giving rise to Plaintiffs’ claims occurred in this district, including decisions
`made by Zynga related to and led to the Zynga Data Breach alleged herein.
`IV.
`INTRADISTRICT ASSIGNMENT
`17. Assignment to the San Francisco division of this district is appropriate under Civil Local
`Rule 3-2 because a substantial part of the events or omissions which give rise to the claims occurred
`in the San Francisco division.
`//
`//
`//
`
`-3-
`
`CLASS ACTION COMPLAINT
`
`Case No. 3:20-cv-02612
`
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:20-cv-02612-JSC Document 1 Filed 04/15/20 Page 6 of 41
`
`
`
`
`
`V. FACTS
`A.
`Zynga provides “free” games in exchange for its users’ PII.
`18. Zynga touts itself as “a leading developer of the world’s most popular social games that
`are played by millions of people around the world each day.”2 Zynga develops, markets, and operates
`social games as live services played on the Internet, social networking sites, and mobile platforms in
`the United States and internationally. It offers its online social games under the Slots, Words With
`Friends, Zynga Poker, and FarmVille franchises. Zynga also provides advertising services to
`advertising agencies and brokers.3
`19. At the end of 2019, Zynga had an average of an estimated 66 million users.4 Zynga’s
`Words with Friends was the most popular mobile game in the United States in March 2017, with 13
`million unique users for the month. It held that position in 2016 as well.5
`20. Zynga’s games are accessible on mobile platforms, Facebook, and other social
`networks, as well as Zynga.com. Zynga offers a mix of paid and “free” games, which are available
`for download. Zynga’s “free” games are supported by in-game advertisements, in-game purchases,
`and its collection of users’ PII.
`21. Zynga’s exchange of “free” games for its users’ PII has been extremely successful. In
`January 2020, Zynga’s CEO claimed that Zynga is “on track to be one of the fastest-growing – if not
`the fastest-growing – gaming company at scale.” In 2019, its stock gained 56%, eclipsing the S&P’s
`29% increase.6
`22. To play a Zynga game, the consumer must create a Zynga user account by providing
`their first name, last name, email address, and gender, and must create a password for the account. At
`
`2 https://www.zynga.com/# (last visited 4/6/20).
`3 https://www.crunchbase.com/organization/zynga#section-overview (last visited 4/6/20).
`4 “Average monthly active users (MAU) of Zynga games from 4th quarter 2012 to 4th quarter 2019,”
`found at https://www.statista.com/statistics/273569/monthly-active-users-of-zynga-games/ (last
`visited 4/6/20).
`5 “Words With Friends trumps Pokemon GO as most popular US mobile game in March 2017 with 13
`million users” (5/4/17) found at https://www.pocketgamer.biz/news/65662/words-with-friends-13-
`million-users-march-2017/ (last vsited 4/6/20).
`6 “FarmVille Maker Zynga Is Booming Again” (1/3/2020), found at
`https://www.bloomberg.com/news/articles/2020-01-03/zynga-is-booming-again-after-wilderness-
`years-at-farmville-maker (last visited 4/6/20).
`
`-4-
`
`CLASS ACTION COMPLAINT
`
`Case No. 3:20-cv-02612
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`Case 3:20-cv-02612-JSC Document 1 Filed 04/15/20 Page 7 of 41
`
`
`
`
`all relevant times and based upon information and belief, Zynga did not collect information regarding
`a user’s age or date of birth, and thus, minors were able to and did create Zynga accounts.
`23. Zynga’s customers have the option to link their Zynga account to their Facebook
`account instead of providing an email address, which requires providing Zynga with the customer’s
`Facebook username and password. Based on information and belief, if the consumer downloads the
`game on a mobile device, the Facebook information is mandatory.
`24. Zynga retains its users’ names, email addresses, login IDs and passwords, password
`reset tokens, phone numbers, and Facebook IDs and passwords in its databases. When financial
`information, such as credit card details, is provided for game purchases or in-app purchases, Zynga
`retains that information as well.
`B.
`Zynga collected PII from minors.
`25. One study estimates that 8% of all mobile gamers are ages 13-17,7 and based upon
`information and belief, Zynga is aware that a substantial portion of its user base has been and
`continues to be minors.
`26.
`In fact, Zynga acknowledged in Securities and Exchange Commission filings that it is
`subject to laws and regulations concerning the protection of minors, and that the “increased attention
`being given to the collection of data from minors” has required it to devote significant operational
`resources and incur significant expenses.8
`27. Zynga’s PetVille was the subject of an investigative report which exposed that Facebook
`targeted Zynga’s game-playing minors, and duped those children and their parents out of money, in
`some cases hundreds or even thousands of dollars, and then refused to refund the amounts.9
`
`
`7 “The Mobile Gaming Industry: Statistics, Revenue, Demographics, More [Infographic],” (2/6/19),
`found at https://mediakix.com/blog/mobile-gaming-industry-statistics-market-revenue/ (last visited
`4/6/20).
`8 Zynga Inc., Form 10-K, Fiscal Year Ended December 31, 2019, found at
`https://investor.zynga.com/static-files/d91122ee-c93f-468b-a48e-6d3b3c1441e3 (last visited 4/6/20).
`9 “Facebook knowingly duped game-playing kids and their parents out of money,” (1/24/19), found at
`https://www.revealnews.org/article/facebook-knowingly-duped-game-playing-kids-and-their-parents-
`out-of-money/ (last visited 4/8/20).
`
`-5-
`
`CLASS ACTION COMPLAINT
`
`Case No. 3:20-cv-02612
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`Case 3:20-cv-02612-JSC Document 1 Filed 04/15/20 Page 8 of 41
`
`
`
`
`
`28. Facebook encouraged game developers such as Zynga to let children spend money
`without their parents’ permission, which Facebook called “friendly fraud,” in an effort to maximize
`revenues.10 The children oftentimes did not know that they were spending money because while these
`games are free to download, they are packed with opportunities to spend actual money to advance
`further. These cash payments are designed to look like items within the game, making it difficult for
`a child to recognize that they are spending money.11
`29. Children’s PII is particularly attractive to identity thieves. Children’s credit reports are
`clean, and minors do not check their credit reports or review monthly bills, which means thieves may
`not get caught for years or even decades. And a child’s credit cannot be frozen because most children
`do not have credit information or reports.12
`30. For these reasons and others, “[c]hild identity theft is a growing problem in the United
`States.”13
`
`C. With only non-existent or outdated encryption systems in place to protect customer
`PII, the PII of Plaintiffs and the Class were stolen from Zynga.
`
`31. On September 29, 2019, The Hacker News reported that a serial hacker from Pakistan
`called “Gnosticplayers” breached Zynga’s Words with Friends and improperly accessed a “massive
`database” of more than 218 million users. The hacker reported that the breach affected all Android
`and iOS game players who had installed and signed up for the Words with Friends game on or before
`September 2, 2019. The information stolen included names, email addresses, login IDs, passwords,
`password reset tokens, phone numbers, Facebook IDs and Zynga account IDs.14
`
`
`10 Id.
`11 “Documents Show Facebook Knowingly Took Money from Unwitting Children,” (1/25/19), found
`at https://www.popularmechanics.com/technology/apps/a26041842/documents-show-facebook-
`knowingly-took-money-from-unwitting-children/ (last visited 4/8/20)>
`12 “Identity Theft Poses Extra Troubles for Children,” (4/17/15), found at
`https://www.nytimes.com/2015/04/18/your-money/a-childs-vulnerability-to-identity-
`theft.html?searchResultPosition=1 (last visited 4/8/20).
`13 “Never Too Young to Have Your Identity Stolen,” (7/21/07), found at
`https://www.nytimes.com/2007/07/21/business/21idtheft.html?searchResultPosition=2 (last visited
`4/8/20).
`14 “Exclusive — Hacker Steals Over 218 Million Zynga 'Words with Friends' Gamers Data”
`(9/29/19), found at https://thehackernews.com/2019/09/zynga-game-hacking.html (last visited
`4/6/20).
`
`-6-
`
`CLASS ACTION COMPLAINT
`
`Case No. 3:20-cv-02612
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`Case 3:20-cv-02612-JSC Document 1 Filed 04/15/20 Page 9 of 41
`
`
`
`
`
`32. The Zynga account passwords for those games were secured with SHA-1 cyrptography,
`which is an encryption method that “has been considered outdated and insecure since before Zynga
`was even founded.”15 SHA-1, or Secure Hash Algorithm 1, “dates back to 1995 and has been known
`to be vulnerable to theoretical attacks since 2005. The U.S. National Institute of Standards and
`Technology has banned the use of SHA-1 by U.S. federal agencies since 2010, and digital certificate
`authorities have not been allowed to issue SHA-1-signed certificates since Jan. 1, 2016….”16
`33. Other Zynga account passwords for different Zynga games were stored in plain text, and
`the hacker claimed to have accessed additional data which included clear text passwords for more
`than 7 million users.17
`34. That millions of passwords were maintained in plain text and others in SHA-1 confirms
`that Zynga had inadequate security measures in place to protect and store its users’ PII.
`35.
`Industry watchers have speculated that it is possible that all of Zynga’s accounts dating
`back to the launch of each game accessed by the hacker have been compromised.18
`36. Zynga knew it was vulnerable to such attacks. As early as 2012, in a Securities and
`Exchange Commission (“SEC”) filing, Zynga reported prior hacking attacks and acknowledged that it
`“will continue to experience hacking attacks.” Zynga recognized that it was “a particularly attractive
`target for hackers,” because of its prominence in the social gaming industry. It reported that it had
`previously been the subject of “civil claims alleging liability for the breach of data privacy.”19
`37. The Hacker Gnosticplayers, responsible for the recent Zynga attack, is undoubtedly a
`thief. Gnosticplayers “is a known quantity in the digital criminal underground, having been observed
`
`
`15 “Password Breach of Game Developer Zynga Compromises 170 Million Accounts” (12/30/19),
`found at https://www.cpomagazine.com/cyber-security/password-breach-of-game-developer-zynga-
`compromises-170-million-accounts/ (last visited 4/6/20).
`16 “The SHA1 hash function is now completely unsafe,” (2/23/17), found at
`https://www.computerworld.com/article/3173616/the-sha1-hash-function-is-now-completely-
`unsafe.html (last visited 4/6/20).
`17 “Password Breach of Game Developer Zynga Compromises 170 Million Accounts,” supra.
`18 Id.
`19 Zynga Inc., Form 10-K, Fiscal Year Ended December 31, 2012, found at
`https://www.sec.gov/Archives/edgar/data/1439404/000119312513072858/d489727d10k.htm (last
`visited 4/8/20).
`
`-7-
`
`CLASS ACTION COMPLAINT
`
`Case No. 3:20-cv-02612
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`Case 3:20-cv-02612-JSC Document 1 Filed 04/15/20 Page 10 of 41
`
`
`
`
`selling hundreds of millions of breached accounts on the dark web since early 2019.”20
`Gnosticplayers had also claimed responsibility for two previous hacking incidents of other websites,
`one in February, 2019 and the second in March, 2019, where the hacker put information for millions
`of accounts for sale on the dark web.21 “It should be assumed that all of these stolen passwords [from
`the Zynga Data Breach] will be available in the wild at some point, if they are not already.”22
`38. All told, the Zynga Data Breach exposed the information of over 170 million of Zynga’s
`customers. According to the website haveibeenpwned.com, the Zynga Data Breach is the tenth
`largest of all time.23
`
`
`
`
`
`
`
`20 “Password Breach of Game Developer Zynga Compromises 170 Million Accounts,” supra.
`21 https://thehackernews.com/2019/09/zynga-game-hacking.html, supra. See also “Times when
`‘Gnosticplayers’ hacker made headlines for selling troves of stolen data on dark web,” (9/30/19),
`found at https://cyware.com/news/times-when-gnosticplayers-hacker-made-headlines-for-selling-
`troves-of-stolen-data-on-dark-web-f8849502 (“Zynga Inc., and American social game developer is the
`latest victim of ‘Gnosticplayers’ hacker”) (last visited 4/8/20).
`22 “Password Breach of Game Developer Zynga Compromises 170 Million Accounts,” supra.
`23 https://haveibeenpwned.com/ (last visited 4/6/20). The website haveibeenpwned.com is a free
`online resource for an individual to assess if they may have been put at risk due to an online account
`having been compromised or “pwned” in a data breach. See also
`https://www.cpomagazine.com/cyber-security/password-breach-of-game-developer-zynga-
`compromises-170-million-accounts/, supra (“The amount of account records compromised would
`make this the 10th largest data breach of all time”).
`
`-8-
`CLASS ACTION COMPLAINT
`
`Case No. 3:20-cv-02612
`
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:20-cv-02612-JSC Document 1 Filed 04/15/20 Page 11 of 41
`
`
`
`
`
`
`D.
`
`Zynga has failed to adequately notify and protect its customers since learning of
`the data breach.
`
`39. Zynga admitted that it had been breached in a September 12, 2019, statement posted on
`its website which it called a “Player Security Announcement.” But Zynga did not accept
`responsibility for the attack and minimized its scope. Zynga suggested that hacking is unavoidable:
`“Cyber attacks are one of the unfortunate realities of doing business today. We recently discovered
`that certain player account information may have been illegally accessed by outside hackers.”24
`40. Zynga stated, “we do not believe any financial information was accessed. However, we
`have identified account login information for certain players of Draw Something and Words with
`Friends that may have been accessed.”25
`
`
`
`41. Zynga’s website announcement – had its customers by chance discovered it – failed to
`offer its customers resources to manage the fraud and was devoid of any suggestions or instructions
`about protecting their identities and PII from fraud, such as imposing credit freezes, monitoring credit
`reports, and checking credit card statements. Instead, Zynga’s concern lay with its earnings
`projections as it concluded its announcement by reaffirming the contents of its “Q2 2019 Quarterly
`Earnings Letter” dated July 31, 2019.26
`
`24 https://investor.zynga.com/news-releases/news-release-details/player-security-announcement (last
`visited 4/7/20).
`25 Id.
`26 Id.
`
`-9-
`
`CLASS ACTION COMPLAINT
`
`Case No. 3:20-cv-02612
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`Case 3:20-cv-02612-JSC Document 1 Filed 04/15/20 Page 12 of 41
`
`
`
`
`
`42. Zynga appears to have discovered the hacking close in time to when it occurred and
`before the hacking was reported in The Hacker News. And while Zynga’s website announcement
`admitted “we have identified account login information for certain players of Draw Something and
`Words with Friends that may have been accessed,” Zynga never notified those customers by email, or
`even by a pop-up notification in its gaming applications, so that those customers would be aware of
`the breach and take timely steps to protect their identities. Instead, it stated that it “plan[s] to further
`notify players as the investigation proceeds.”
`43. The only alerts some customers may have received came from third-party
`haveibeenpawned.com, had those customers had the foresight to sign up for automatic notifications
`from haveibeenpwned.com. Those alerts were sent on December 18, 2019, three months after Zynga
`itself was aware of the breach.
`44. On that same day, December 18, 2019, whether by design or by coincidence, Zynga
`modified both its Privacy Policy and Terms of Service.
`45. An industry expert opined, “The disclosure of the full scale and nature of this breach,
`some three months after the initial announcement, is concerning. This delay, and the initial lack of
`information provided by Zynga to its users, has put victims at unnecessary risk.”27
`46. Even to this day there may be millions of individuals who do not realize that their PII
`was stolen as result of the Zynga Data Breach.
`47. One primary concern of the Zynga Data Breach is the use of the username and password
`combinations in credential stuffing attacks.28 “Credential stuffing” is when an cyber attacker takes a
`massive trove of usernames and passwords from a data breach and tries to “stuff” those credentials
`into the login page of other digital services. Because people frequently use the same username and
`password across multiple sites, attackers can often use one piece of credential information to unlock
`multiple accounts.29
`
`
`27 https://www.cpomagazine.com/cyber-security/password-breach-of-game-developer-zynga-
`compromises-170-million-accounts/, supra (quoting Oz Alashe, CEO of CybSafe, a cyber security
`awareness platform and cloud data analytics platform).
`28 Id.
`29 “Hacker Lexicon: What Is Credential Stuffing?” (2/17/19) found at
`https://www.wired.com/story/what-is-credential-stuffing/ (last visited 4/6/20).
` -10-
`CLASS ACTION COMPLAINT
`
`Case No. 3:20-cv-02612
`
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:20-cv-02612-JSC Document 1 Filed 04/15/20 Page 13 of 41
`
`
`
`
`
`48.
`“Compromised pairs of emails and passwords could be injected into commercial
`websites like Amazon and Ebay in order to fraudulently gain access. The vast majority of email and
`password combos won’t work, but a few will. That’s because many people reuse the same credentials
`on multiple websites.”30
`49. But credential stuffing is not the only concern of the Zynga Data Breach. The breach
`also provides enough information for hackers to potentially create targeted phishing attacks made up
`to look as if they are an official communication from Zynga.31
`50.
`In addition, because some customers have their games connected to their Facebook
`accounts, hackers can gain access to far more information to create a forged identity. “Logging in
`with this stolen information (including the 7 million Draw Something passwords left in clear text with
`this breach) makes it impossible to determine if the actual account holder is the one logging in.”32
`
`E.
`
`Data breaches, like Zynga’s, cause financial, emotional, and physical harm to the
`victims, including to Plaintiffs and the Class
`
`51. Annual monetary losses for cybercrimes are estimated to range between $375 billion
`and $575 billion worldwide. In the United States in 2018, there were 3 million identity theft and
`fraud complaints filed with the Federal Trade Commission. Of those, 1.4 million were fraud related,
`and 25% of those reported that money was lost. The median amount consumer paid in those cases
`was $375.33
`52. But direct, monetary losses are not the only damages that victims of identity theft suffer.
`According to a Presidential Report on identity theft, victims of identity theft also suffer indirect
`financial costs, as well as physical and emotional injuries:
`
`In addition to the losses that result when identity thieves fraudulently open
`accounts . . . individual victims often suffer indirect financial costs,
`including the costs incurred in both civil litigation initiated by creditors
`
`30 https://www.cpomagazine.com/cyber-security/password-breach-of-game-developer-zynga-
`compromises-170-million-accounts/, supra (quoting Oz Alashe).
`31 https://www.cpomagazine.com/cyber-security/password-breach-of-game-developer-zynga-
`compromises-170-million-accounts/, supra.
`32 Id. (quoting Robert Prigge, President of Jumio, which provides biometric verification services).
`33 “Facts + Statistics: Identity theft and cybercrime,” found at https://www.iii.org/fact-statistic/facts-
`statistics-identity-theft-and-cybercrime (last visited 2/8/20).
` -11-
`CLASS ACTION COMPLAINT
`
`Case No. 3:20-cv-02612
`
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`Case 3:20-cv-02612-JSC Document 1 Filed 04/15/20 Page 14 of 41
`
`and in overcoming the many obstacles they face in obtaining or retaining
`credit. Victims of non-financial identity theft, for example, health-related
`or criminal record fraud, face other types of harm and frustration.
`
` In addition to out-of-pocket expenses that can reach thousands of dollars
`for the victims of new account identity theft, and the emotional toll
`identity theft can take, some victims have to spend what can be a
`considerable amount of time to repair the damage caused by the identity
`thieves. Victims of new account identity theft, for example, must correct
`fraudulent information in their credit reports and monitor their reports for
`future inaccuracies, close existing bank accounts and open new ones, and
`dispute charges with individual creditors.34
`
`53. The indirect costs of identity theft take victims away from their everyday lives. They
`spend less time on hobbies and vacations, and are forced to take time off of work and spend time
`away from their family. In 2016, more than 25% of victims had to borrow money from family and
`friends.35
`54. The emotional toll that identity theft can take can be grave. Victims suffer from
`annoyance and frustration, fear of their financial future and financial security, and feel vulnerable,
`powerless, and helpless. Some seek professional help, and some feel suicidal.36
`55.
`“Identity theft can be more than a hassle - replacing credit cards, closing bank accounts,
`or changing passwords. But for some victims, it can be a life-altering experience that also causes
`serious emotional problems and can even drive some to consider suicide.”37
`56. There are also physical side-effects that victims of identity theft suffer. Individuals are
`unable to concentrate or focus, and suffer from fatigue, sleep disturbances, stress, loss of appetite, and
`an inability to work because of physical symptoms.38
`57. The physical and emotional responses caused by identity theft can exist for years at a
`
`
`34 “The President’s Identity Theft Task Force, Combating Identity Theft, A Strategic Plan” (April
`2007), p.11, found at h