Updated Child-friendly games website Animal Jam suffered a hack that exposed 46 million user records after a staff Slack channel was compromised by malicious people who discovered a private AWS key.
I have however come across one way that a cell phone can be used as a way to defraud slot machines and having checked into the way that is possible I do have to say it is an amazing story, and even to this day some slot machines are still vulnerable to being ripped off with the use of a cell phone, and below you will discover just how that.
Animal Jam chief exec Clary Stacey confirmed the hack after Bleeping Computer spotted information from the compromised AWS server being posted on stolen data bazaar raidforums[.]com.
At the time of writing, users of the forum were claiming to have decrypted at least part of the encrypted databases stolen.
In a statement, game developer Wildworks said: “We believe our vendor’s server was compromised some time between October 10-12, 2020. It was not apparent at the time that a database of account names was accessed as a result of the break-in, and all relevant systems were altered and secured against further intrusion. The database theft most likely occurred in the same October 10-12, 2020 time window.”
Bleeping Computer alleged 46 million player usernames and SHA-1 hashed passwords were stolen and leaked. Animal Jam usernames are said to be human-moderated to ensure kids playing games on the site weren’t using their own real names.
The site claims to have 130 million registered accounts. Wildworks said “approximately 32 million” usernames and passwords had been pinched.
About 12,000 parents’ full names and billing addresses were stolen, though Wildworks said “otherwise no billing information was stolen.”
“The passwords released in this breach were encrypted and unreadable by normal means. However, if your account was secured with a weak password to begin with (for example, a very short password, or one using dictionary words), it would be possible for knowledgable hackers to break the encryption and expose your password as plain text,” continued Wildworks.
The full statement is available on its website.
A few years ago a poorly secured MongoDB database powering a suite of Internet of Things smart children’s toys was repeatedly held to ransom by malicious people, as we reported at the time. Meanwhile, a leaked AWS private key that same year let other malicious people rack up a $64,000 bill on DXC Technologies’ tab after they abused their illicit access to corporate infrastructure. ®
Updated at 08:41 UTC on 16 November 2020 to add:
Who Has A Slot Machine In Animal Jam Ball
Slack got in touch to say: 'We can confirm that an unauthorized user gained access to the WildWorks' Slack workspace through compromised WildWorks user credentials. There has been no breach to Slack's infrastructure. This may have been the result of malware or the re-use of credentials previously exposed.
'Slack recommends all users practice strong security measures by utilizing two-factor authentication and ensuring their computer software and anti-virus software is up to date. We also strongly encourage customers to utilize password managers like 1Password, or, at a minimum, create new, unique passwords for every service they use.'
GDC 2019
View more storiesSAN FRANCISCO—This year's Game Developers Conference saw two game makers emerge with a possible chapter in a future dystopian sci-fi novel: the story of making money by letting robots do the work. In their case, that work was the procedural generation of smartphone games.
A single 'game jam' event led to a data machine that ultimately pumped out a decent amount of cash: $50,000 over a couple of years. Years later, with that data (and money) in hand, the makers of this game-making machine, which focused entirely on 'garbage' free-to-play slot machines, used GDC as a wake-up call to an industry where the 'right' messages often revolve around listening to players, sidling up to publishers, and racking up critical acclaim. In their case, eschewing all of that worked a little too well for their comfort level.
Winning the “race to the bottom”
In 2013, two video game makers had been trying for years to make it in the burgeoning mobile games space. One of them, Alex Schwartz, had helped get the solid mobile swiping-action game Jack Lumber off the ground. (In a past life, I gave that game a good review at the now defunct tablet-only magazine The Daily.) The other, Ziba Scott, had put together a fine mobile-friendly puzzle game, Girls Like Robots.
Both games operated in a pay-once, play-forever model without microtransactions. Both attracted awards, recognition, good expo showings, and publishers. Both failed to take off.
They looked at the meager income they were making doing it the 'right' way, as had been established by the old publishing guard. They then looked at iOS and Google Play marketplaces and saw that 'freewares, clones, and junk' dominate the general selection, let alone the actual money-making charts.
In one casual chat about the sheer weight of that business reality, the duo came to a conclusion: 'We could do better... at doing worse!'
They teamed up during the 2013 Global Game Jam to push something out that resembled the 'race to the bottom' they saw on mobile platforms. Thanks to the time-restricted nature of a game jam, they opted to buy a 3D slot machine asset off of the Unity Store (a marketplace that lets game makers pay modelers and animators for unrestricted use of various 2D and 3D assets) for $15. They then spent the rest of the jam creating a system that would automatically generate the rest of the skinning needed to make this basic virtual slot machine just unique enough to be published as its own smartphone app.
'Let's customize these like other slot machine companies do,' Schwartz said. 'They make themed slots. What's the minimum set of things to change to make a different slot machine? Let's change the title. Change the one image on the reel that might be relevant to your topic. So, like, a dolphin slot: put a dolphin in there [as the jackpot slot logo] with a special icon. Then the background is a scrolling dolphin image.'
AdvertisementThe original word list was hand-curated based on what the team thought was interesting but also generic and safe-for-work. The most scintillating name they went for at that point was '3D Sexy Librarian Slots.'
With the visuals knocked out, the duo went one step further: creating custom music.
Who Has A Slot Machine In Animal Jam Worth
'A crappy song would play, then use text-to-speech to sing the word 'dolphin' in the Google Translate monotone voice. It'd play that every time you won. It'd say the name of your game in the music,' Schwartz said.
As a result, with the press of a single button, a Unity script could put those steps together and essentially auto-generate hundreds of 'custom' slot machines. Schwartz and Scott confirmed that their automated system's scraping of public images exposed one issue: Google Image Search would throw up errors for exceeding the rate limit. 'We found a use for Bing,' Schwartz said in a phone interview with Ars. 'Its image search had a number of things that were looser. I'm not trying to knock them, but they have a reputation for being second class. That felt like a kindred spirit for what we were trying to achieve here.'
“A portal to a better world”
With that slot-creation template set, the team automated the process of feeding information to Google Play (a much easier marketplace to exploit than iOS at the time) and creating publicly available freeware slot machine apps with ads. One simple Selenium script later, and that process was done.
The duo could feed a single slot-machine keyword into their combined scripts, which took 'a few hours' in all to build, then watch on a 'ghost monitor' as its system faked like a human, clicked every appropriate checkbox, picked every country, agreed to every terms-of-service agreement, and filled in every appropriate text box—then took the auto-generated slot machine and uploaded it for anyone to play.
They attached mobile ad network Playhaven to the whole thing because the duo's philosophy was that they never wanted to take actual money from users who would download their bizarrely named apps. They then 'walked away' for two months. After that period of dealing with real-life work, they peeked at their income and advertising statement and were stunned: people were downloading their apps, and 27 percent of those people were clicking on their ads, driving roughly $211 of ad revenue per day.
The team came up with a theory: 'All of our advertising keywords were related to casino related content,' Schwartz said to Ars. 'We had an epiphany: our game looks so fucking terrible, but people downloaded it for some reason. When they see an ad for a much better slot machine or casino, they click it because... of course you do! That's a greener pasture! A way better future you could be having! We think the quality was so low in our shit that the ads were a portal to a better world.'
Yet the duo incredulously admits that its average rating for many of the apps was in the four-star range and that reviews were quite kind. One review stood out to Scott, for the auto-generated '3D Bowling Slots' app: 'Someone wrote that they were disappointed that the slots didn't have much to do with bowling.'
Supervillain origin story?
The engineering half of their brains wanted to see how far this enterprise could take them. So they began tinkering with the existing template with things like the automation of slot-machine descriptions.
AdvertisementWho Has A Slot Machine In Animal Jam Made
Google Trends seemed like a good idea, but that usually led to trademarked or public-figure names, and the team wasn't interested in getting out of the 'automation' loop by having to deal with a high volume of takedown requests. So they opted for a slightly updated app-name template: the word '3D,' plus an adjective, plus either an animal, location, or country, plus the word 'free.'
Examples included 3D Tremendous Face Pain Slots, 3D Rough Elbow Slots, 3D Mild Dogwood Slots, 3D Viceroy Butterfly Slots, and 3D Inexperienced Great Horned Owl Slots. (They eventually made T-shirts to commemorate the latter.)
Schwartz and Scott also paid a small Romanian studio a pittance to build a higher fidelity slot machine, which they eventually discarded. That happened in part because the duo's mix of newer full-time work and ethical concerns crowded out their excitement and availability.
'Someone said, you could raise money on this idea, or sell this data to someone else, or sell your company,' Scott said to Ars. 'We were at a crossroads where the joke was similar to the origin story of a supervillain. Do we abandon all creative pursuits to make the most intense money-making slot-creating enterprise? Or does this continue being a tiny background of 1/20 of our day?'
Eventually, the headaches of keeping up with Google Play caught up to the team. Apps were removed for violating an updated terms of service that gave Google more leeway to cut out apparent crapware. Google also updated the Web interface on a somewhat regular basis. Moving a single box a few pixels could throw a wrench into the Selenium robo-clicking works, which the team had previously designed to auto-upload 15 apps a day (Google Play's upload limit for a single developer account at the time).
At one point, the app network Playhaven called the duo with a flat declaration. 'We're seeing erratic data on your account,' Schwartz said to paraphrase. 'We're not sure what's up. We're not interested in continuing to serve ads to your slot machines. But we want to be clear: you didn't break our ToS. You're just, I don't know, inconvenient.'
Playhaven then added, 'You have the worst users. People who come from your apps don't spend money.' The team switched to another ad provider immediately, Chartboost. 'They knew roughly what we were doing,' Schwartz said. 'They've been great.'
“Optimized to remove our content”
This many years later, all of the roughly 1,500 apps generated by this experiment are dead. And Schwartz and Scott think of the whole affair as a mix of a joke and a productive wake-up call.
'Our half-joking argument: by offering the largest target of low-quality garbage apps, these marketplaces became optimized to remove our content,' Schwartz said to Ars. 'You could almost say that our company trained their algorithm so that what we were doing could eventually not be possible. But we were the first to bring it to that level.'
In their GDC presentation, Schwartz mostly left the data up for people to peruse in a laughing manner, but also with a human angle about the costs that might arise if you chase such a robo-generated app dream with profit, not laughs, as the goal.
'This whole project was an itch that felt so good to scratch,' Schwartz said at GDC. 'We thumbed our noses at the mobile market that had broken our hearts in 2013. We laughed the whole way... The truth is I don’t give a fuck about slot machines. We’ve moved on. If there’s a business lesson in that, I’d say: scratch your crazy itches, give that insane idea a try. But even if it does work out... be prepared to walk away because it may only have been the attempt that made you happy, not the result.'