Matt Spencer has been an active player of "YoVille" since the Zynga-owned virtual world launched in 2008, but hasn't played the game in about three weeks.
In late January, Spencer's "YoVille" account was compromised, he said, and he lost much of his collection of virtual items, including millions of virtual coins and a pair of sunglasses that have become a collectors' item. Over the four years he's played the game, Spencer, a 28-year-old mechanic from Lebanon, Pa., has spent $1,500 to $3,000 on virtual items.
Spencer immediately reported the theft to Zynga and eventually filed a complaint with the Better Business Bureau, but has yet to have his items restored.
"I have put (too) much time and money into this game to be treated like this by Zynga," Spencer said in an e-mail. "I have been a trusted player for four years and fear if things don't change fast this might be the end of 'YoVille.' "
Zynga is aware of the security problem and is addressing it, said Cadir Lee, the company's chief technology officer. The company first started to get reports about it "a few weeks ago," he said. The company investigated the issue and found that it was due to some "compromised administrative and moderation tools," he said. Zynga has since fixed the problem, he said.
In all, fewer than 1,000 "YoVille" players were affected by the attacks, and Zynga believes it has restored to everyone who was legitimately affected by the attacks the virtual items they lost, he said.
"We certainly see (the attacks) as something unusual," he said. "We've had relatively few incidents in 'YoVille' of this sort. We went ahead and dug into that and fixed the issues that we found."
Spencer was among numerous "YoVille" players who contacted this newspaper after seeing their virtual items disappear in recent weeks and months. Many attributed the issues to a group of hackers who openly boasted on Facebook and elsewhere that they were using a hack of the game to scam other users. One self-identified "YoVille" hacker posted pictures on Facebook of clothes he bought at AeroPostale with money he claimed to have earned from selling stolen "YoVille" items.
In "YoVille," virtual items can be purchased with real money at an exchange rate determined by Zynga. Zynga bars players from trading those goods among themselves for real cash, but it frequently happens, albeit at a fraction of the game's official exchange rates. "YoVille" coins can be had for about $25 or less per million in the gray markets, whereas the official exchange rate is 70,000 coins for $100.
Lee declined to comment on the alleged hackers who were using the exploit.
Unlike other hacking episodes, there's no indication that users' personal information or credit card data stored on Facebook or Zynga has been compromised. Instead, the attacks appeared to be focused on users' "YoVille" characters and the virtual goods they have purchased in the game. The exploit appears to have given hackers capabilities in "YoVille," such as the ability to transfer goods from another person's account, that are usually reserved for game administrators.
People hacking games to get free stuff is a long-standing problem, said Lawrence Pingree, a security analyst at Gartner, a technology research firm. But with older games, hackers tended to focus on defeating anti-copying technology so they could play the game for free, he said. These days, hackers focus on scamming the game for free goods within it or to steal goods that they can sell to other players.
Zynga itself is a past target. Last year, a British hacker admitted to stealing $12 million worth of poker chips from "Zynga Poker."
"It's kind of scarier than the old games," Pingree said, adding, "these are things we are likely to see more of."
"YoVille" is one of Zynga's smaller games, noted Michael Pachter, a financial analyst with Wedbush Securities. According to Facebook, every month some 1.5 million users play "YoVille." That represents less than 1 percent of the 240 million monthly total players of all of Zynga's games.
Despite Lee's assertion, Spencer wasn't the only "YoVille" player who said that he hadn't yet gotten his items restored. Several others who contacted this newspaper after being attacked said that "YoVille" had denied or ignored their claims.
Among them is Amy, a 39-year-old Alpine resident, who asked that her last name not be used, because she feared retribution from the hackers. Last month, one of her "YoVille" friends told Amy that his account had been compromised and many of his virtual goods -- things like clothes, hairdos and furniture that players use to personalize their characters and in-game living spaces -- had been taken. She immediately checked her own account and found that her most prized possession -- a pair of pink retro-style glasses -- was missing.
The glasses, which she received as a gift from a friend and still hasn't gotten back, are now a collectors' item worth about 6 million "YoVille" coins. That's $8,600 at Zynga's official exchange rates, but about $150 with gray-market coins. Although she reported their disappearance to Zynga soon after, she has yet to receive a response from the company.
"All my friends ... are all scared to go on there," she said. 'YoVille' just isn't fun anymore."
Lee said Zynga has extensive records of the items in players' accounts and their activities on the site. But, he said, the company is willing to take another look if particular users haven't yet gotten their items restored.
"We'll continue to try and dig deeper if something haven't resolved," he said.
In a forum post, a Zynga customer service representative charged that many players were lying about having lost items.
"We have been receiving a lot of false claims from players who are eager to get their hands on some free items," the representative said. "We need your help in distinguishing fake claims from legitimate ones."
One person whose items did get restored was Rob Jarrett, 31, of Morristown, N.J. Jarrett, who was hacked late last month, had his avatar changed and lost all of the items in his inventory, including numerous "YoVille" coins. All told, the stolen items were worth about 100 million coins, or about $2,500 at unofficial rates. A "YoVille" player since 2010, Jarrett got most of his items back, but it took several days and the items were restored only after he contacted the Better Business Bureau and sent a personal email to Zynga CEO Mark Pincus.
Despite having most of his items restored, Jarrett, who spent eight to 10 hours a day playing the game when he first started and still spends about an hour a day on it, said he's "pretty sure" he's going to quit. He feel violated and frustrated that the company didn't address its security problems until after the recent attacks started happening.
"It just shouldn't have come to that," he said. "They handled the situation so bad."