Connect with us

Hi, what are you looking for?



Payment Card Data Compromised in Big Fish Games Breach

A piece of malware installed on the systems of Seattle-based casual gaming company Big Fish Games has been used to steal customer payment information.

A piece of malware installed on the systems of Seattle-based casual gaming company Big Fish Games has been used to steal customer payment information.

According to Big Fish Games, the company discovered the breach on January 12. The malware was installed on the billing and payment pages of the company’s website and it appears to have intercepted customer data such as names, addresses, payment card numbers, expiration dates, and CVV2 codes. The attackers have not been identified.Big Fish Games hacked

In a letter sent out to affected individuals, a copy of which was published last week on the website of the California Attorney General, Big Fish Games noted that only customers who had entered new payment information on the company’s website between December 24, 2014 and January 8, 2015 may be affected. Those who used payment information from a previously saved profile don’t appear to be impacted.

Big Fish told SecurityWeek that there is no indication that this issue had any impact on customers who purchased games for iOS and Android devices, or through Facebook.

“We have taken the necessary steps to remove the malware and prevent it from being reinstalled. We have reported the incident to and are cooperating with law enforcement. We have also informed the credit reporting agencies and payment card networks about this incident so that they make take appropriate action regarding your card account,” Ian Hurlock-Jones, the CTO of Big Fish Games, wrote in the letter sent to affected customers.

The gaming company is offering impacted individuals a complimentary one-year membership to Experian’s ProtectMyID Alert service. Users can activate the service by May 31, 2015.

It’s uncertain how many of Big Fish Games’ customers are impacted by the breach, but the company told SecurityWeek that the incident “resulted in the interception and diversion of payment information of a small percentage of our total customers.”

“Upon learning of the potential security incident, we immediately took steps to remove the malware responsible for the issue. We hired a leading data security forensics firm to assist in our investigation of the incident to fully understand the event and to help us better assure data security going forward,” said a Big Fish spokesperson.

Advertisement. Scroll to continue reading.

Founded in 2002, Big Fish claims to be the world’s largest producer and distributor of casual games. The company says it has distributed more than 2.5 billion games to customers in 150 countries.

Several major companies reported suffering payment card data breaches in the past year. The list includes Home Depot (56 million cards compromised), TripAdvisor’s Viator (1.4 million cards compromised), Goodwill, HSBC Turkey, and P.F. Chang’s.

*Updated with statement from Big Fish Games

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...