Active breach of i-Dressup

i-Dressup, a community for teenage girls, is actively leaking passwords in plain text.

Being a parent is tough in the digital age. The bullies and predators you have to worry about have expanded beyond physical threats to ones that lurk around every corner of the World Wide Web.

Being online lets kids connect with people around the world and make more friends, faster, than imaginable for someone who grew up without the Internet, like yours truly. Communities have popped up online for kids with interests varying from Hello Kitty to League of Legends to crafting and fashion — not to mention the traditional social networks. One such network that has millions of users is i-Dressup.

From the site’s FAQ: I-Dressup is a flash dress up games site and an online community that encourages members to explore their creativity and fashion sense with unique personal profiles. From the moment you join iZone, our online community, there are tons of ways to create, communicate, participate and have fun! For members under 13, parental consent is required to access certain features of iZone.

Unfortunately for the millions of users of this site (and their parents), their data has been compromised. To make things worse, according to Ars Technica, the site owners did not respond to contact attempts from Ars and Have I Been Pwned? noting that there was a data leak on the site days ago.

Thus far it is estimated that more than 2 million passwords have been stolen using the SQL-injection vulnerability. To make matters worse, the passwords were stored in plain text, not encrypted. The Ars post notes that the vulnerability is still active and could affect the accounts of up to 5.5 million teenage girls.

What does this mean?

In any data breach, personal information may be sold to the highest bidder or simply dumped online for everyone to see. In the case of minors, the risk of identity theft going undetected is greater because most teens won’t yet have started monitoring their credit reports — and won’t until they begin applying for credit cards and jobs.

So, similar to the Hello Kitty breach from the 2015 holidays, this could mean potentially more than 5 million kids falling victim to a crime.

What should you do?

For starters, you should work with your children to delete their i-Dressup account (we would suggest changing the password, but that won’t help; seems that the vulnerabilities are still in place) and to check the security settings of the e-mail account associated with their i-Dressup account.

You should also let your kids know that they should not reuse passwords. If they reused MyLittlePony on their Facebook, Snapchat, and other accounts, they need to change all of those passwords as well. The important thing to stress is that with one set of passwords out there, someone could take over their other accounts as well.

You should also make your kids aware of the e-mail scams that may follow this breach: scammers trying to impersonate site representatives to try to get them to click malicious links or even shake them down for money.

As a parent, you should also make sure that you have a strong security solution covering your family’s devices (phones, computers, tablets, etc.). If you want to make sure your kids don’t go to sites that they should not, you can also consider looking at tools that offer parental controls. One solution we would suggest here is Kaspersky Total Security, whose robust features help you to protect devices as well as monitor your kids’ activities both online and off (you can tailor settings to your children’s age and family rules). Click here to download a free 1-month trial.