Digital Privacy Industry News

Data Breach: Bad actor leaks 23 million account credentials from Webkinz children’s platform

Over the weekend, ZDNet learned that nearly 23 million usernames and hashed passwords of the Webkinz World online children’s game platform were leaked on a popular hacking forum.

Released by Canadian toy company Ganz in 2005, Webkinz World has consistently grown in popularity, allowing little ones to explore a virtual world with their plush toy after entering a special code online.

According to Under the Breach, a bad actor posted 1GB file containing no less than 22,982,319 usernames along with the hashed passwords of players enjoying the Webkinz World variety of online kids’ games.

In a Webkinz tweet on April 19, the platform does not appear to acknowledge the data breach or leak: “We are aware of a story today alleging a data breach,” Webkinz wrote. “Your account security is of utmost importance to us, and we are investigating thoroughly. Please note that we have never asked for addresses, phone numbers or last names, and Webkinz accounts are not connected to eStore account data in any way. If you have any concerns, we encourage you to change your account password using the button on the Webkinz Login Screen.”

However, according to the initial publication, the platform’s staff had already detected the security incident and managed to fix the vulnerability in their system to prevent any further damage.

Unfortunately, it is not clear if the leaked pairings of username and passwords are scraped only from the platform’s active pool of players.

After 18 months of inactivity we will archive an account,” reads the notice on the gaming platform. “For security purposes, during the archiving process, we remove all information associated to the account other than then User Name and Password. Please note that if an account remains inactive for a period of 7 years, Ganz will then delete that account.”

The incident stands to prove that, no matter the industry or online platform, nobody is safe from cyber criminals. Hackers will attempt to penetrate any system and, as with any data breach or leak, users should be aware of the risks.

Even if the passwords are hashed, they are not breach proof. A hacker can still attempt to crack a password through a brute force attack. If he succeeds, and you have used the same email address and password to log in on another platform, he can easily take over other existing accounts.

It’s best to avoid using the same email address and password combination for multiple online accounts. But if you do, try to create a strong password (it can even be a phrase), and enable a multi-factor authentication method.

About the author

Alina Bizga

Alina has been a part of the Bitdefender family for some years now, as her past role involved interfacing with end users and partners, advocating Bitdefender technologies and solutions. She is a history buff and passionate about cybersecurity and anything sci-fi. Her spare time is usually split between her two feline friends and traveling.