Zynga Hacked: Guy gets £50,000 from virtual money

Ashley Mitchell, an IT professional from Paignton, Devon, England was recently charged with hacking Zynga’s Facebook poker game. He admitted accessing Zynga’s computers and putting 400 billion credits into fake facebook accounts, which he was then selling for real money. I think Zynga is trying to have its cake and eat it, too. On the one hand, they do not put vigorous security controls in place because it’s just a game and it’s play money. On the other hand, they want to cry foul and make analogies between virtual currency and real currency when someone bypasses their weak security and starts making money.

The details of the story are vague in the available sources. The Register has links to This is South Devon which gives the most details I’ve found. He “posed as a site administrator”? Is that a social engineering attack or did he actually gain administrative access? Was administrative access as simple as putting “admin=true” on a URL, or was it something more sophisticated? People assume that if you “hack” a system, you must be some superstar whiz with computers. It might not be like that. The stories released so far don’t say enough to know. The only published evaluations of Mitchell’s skill and sophistication are statements from a judge who said Mitchell used ‘considerable professional expertise’. Frankly, the judge is probably not qualified, himself, to make that assessment. I’d like a real computer security expert to understand the details here and explain them. Hacking Zynga games is not hard, so that leads to the question of whether Zynga was exercising due care over something that—they claim—has significant business value to them.

What is Zynga’s culpability here? If virtual currency is this important—if what this hacker did was like stealing $12 million—did Zynga have the kind of safeguards one would use to guard $12 million? There is a comparison to the Royal Mint that appears in several versions of this story; I assume it’s from a conversation had during the trial. If someone stole the equivalent of $12 million from the Royal Mint, it is true that the mint could print more money. But if the Royal Mint has the equivalent of $12 million laying around in one place, you can believe the security procedures are substantially more significant than what Mr. Mitchell overcame. I mean, if I leave $12 million in cash in a sack in the back seat of my car, and then someone breaks in and takes it, was I really taking reasonable care of that money? Is that really appropriate?

I made movies two years ago showing how to hack two different Zynga games, “Pirates” and “WordTwist.” The hack of WordTwist is a complete compromise of the game, but there is no money riding on the game. The hack to Pirates is innocuous and does not really impact the game play. But the point remains: if you want to hack games like this, it’s not all that difficult.

In some ways I am not sympathetic to the game company in this instance. Now, I don’t believe that Mitchell should get to go free. What he did was a crime, and he has a history of hacking. But if that virtual currency has the moral equivalence of real currency, then the software needs to protect it like it’s real currency. I think Zynga is trying to have it both ways: lax security because it’s just a game, but then cry foul when someone hacks the game and turns a profit.