Canadian toymaker Ganz, owner and developer of the popular Webkinz platform for children, recently announced that a malicious, unauthorized actor had accessed 23 million usernames and passwords as part of the Webkinz data breach. The credentials accessed were the users’ platform account data, the majority of which are routinely accessed by young Webkinz users.

Webkinz is an online and app-based platform in which users “adopt” a virtual pet after buying its plush counterpart. The plush’s code is entered into the user’s account and the user can play with his/her pet online. The platform also features an arcade section with both entertainment-based and educational games that let the players earn virtual money to take care of their pets, design homes for them and more. One feature of the platform allows users to send pre-selected, approved phrases to each other and compete against one other in certain challenges. No information is shared or exchanged in those interactions.

The company’s statement indicated that usernames and hashed passwords (passwords that are a scrambled representation of themselves) were the only information accessed, but that does not mean there isn’t cause for concern. Hashed passwords can still be unencrypted if hackers have the means to do so. Reused passwords, or passwords that account holders use on multiple websites—especially in conjunction with the same email address that was used to create the account—can lead to the takeover of other accounts once hackers have compromised the first one.

While reusing passwords is convenient, it is more important now than ever that passwords are strong enough to withstand automated software that can make many password attempts per second, and that passwords are not used on more than one website or account.

The Webkinz parent company Ganz issued a statement on its website, notifying users of the incident. They recently launched a forced reset in response to the matter, but also recommend that users change their passwords on any other accounts where they may have used these same login credentials. A strong reminder for Webkinz users, especially those who used the platform as children but are now adults, that may be utilizing the same email/password combination.

It is not yet known whether or not the data compromised in the Webkinz breach is archived or active account information. However, in the company’s statement, they said they have not and do not collect more sensitive information.

The Webkinz data breach also highlights the importance of parents doing what they can to reduce their children’s risks online. Parents should make sure their kids are not oversharing information, teach them how to keep their information safe and talk to them about good internet behavior. If kids know how to spot a fake message online, to not click any links they do not recognize and limit the amount of information they share on their social media profiles, they will reduce their risk of falling victim to child identity theft.

If anyone believes they have fallen victim to identity theft, or have had their information exposed in the Webkinz breach, they can call the Identity Theft Resource Center toll-free at 888.400.5530 or live chat with an expert advisor on the next steps to take.

You might also like…




More than 7,000 businesses applying for emergency loans may have had their personal information exposed by a Small Business Administration (SBA) data exposure. The SBA’s failure to secure the data, which was discovered on March 25, was due to a programming error in the administration’s online application portal for Economic Injury Disaster Loans (EIDL).  

According to POLITICO, the application system may have disclosed personal information to other applicants of the program. Some of the personal information from the SBA data exposure may have included Social Security numbers, contact information, names, addresses and income amounts.

According to the SBA, the Paycheck Protection Program (PPP) was not affected because it began April 3 and is also handled by a separate online system. However, businesses that applied for an EIDL were notified about the Small Business Administration data exposure and have been offered one year of free credit monitoring services.

In a statement, the SBA said “We immediately disabled the impacted portion of the website, addressed the issue and relaunched the application portal. SBA continues to process applications submitted via email, paper and online.”

While exposing business data might not always rise to the same level of risk as personal data, personal and business data is often co-mingled when the business entity is a small business. Due to that, it is important that people impacted by the SBA data exposure protect both sets of data by freezing their personal and business credit if both are involved. The Identity Theft Resource Center (ITRC) also recommends those who could have been impacted monitor their accounts carefully for any suspicious activity, change the passwords for any accounts with sensitive information and to consider the free credit monitoring services that are being offered.

If anyone believes they are a victim of identity theft or have had their information exposed due to the Small Business Administration data exposure, they are encouraged to call the ITRC toll-free at 888.400.5530 or to live chat with an expert advisor. Advisors can help small businesses – who utilize a personal Social Security number – and consumers create an action plan that is tailored to their unique circumstances. Victims can also download the ITRC’s ID Theft Help App where they can track their steps in a customized case log. Documenting the process post-breach is more important now than ever with the recent requirements of victims to provide proof in order to receive compensation after a data breach settlement.

You might also like…




The IRS has started distributing stimulus check payments to the nearly 140 million Americans that are eligible. While many have received their stimulus payment through direct deposit, according to CNN, 60 million Americans are still waiting for their money.

The IRS created a portal in hopes that people would be able to check the status of their stimulus check payment. However, due to overload and glitches being worked out, the website has not worked for everyone.

One reason why people might not have received their stimulus check payment is because they are victims of tax identity theft. However, there are many other reasons why people might not have received their payment that they should explore first:

1. People who are not normally required to file a tax return. Individuals who make less than $12,200 a year (or less than $24,400 for married couples) are generally not required to file a tax return. For the process of receiving a stimulus check payment, these people have to enter their information into a new IRS portal to get their money.

2. Someone’s refund went to a temporary account that was set up by a tax preparer. According to a report by WALA-TV, when people use tax preparation services, sometimes a temporary account is set up to handle the transactions, which could lead to a longer wait for a stimulus check payment.

3. Not everyone got a federal tax refund in 2018 or 2019. Some consumers did not get a refund after their last two tax filings. In fact, if someone owed taxes the last two years, they could still qualify for the stimulus. Only consumers who received a refund from the IRS to a direct deposit account will be processed for stimulus direct payment.

4. Some people’s refunds might have gone to an old bank account. This could happen if someone filed their 2018 tax return with bank account formation that is no longer valid and has yet to file a 2019 tax return. For people who have not filed their 2019 tax returns, the IRS is using information from their 2018 tax refunds.

5. Some people might have filed a paper return in 2019. People who filed their taxes with paper returns will mostly receive their stimulus check by mail because the IRS has stopped processing paper returns until they can reopen their centers.

6. It has been seized by a private debt collector. If someone owes money for private student loans, credit cards or medical bills, their stimulus check could be at risk. The CARES Act does not restrict private debt collectors from taking the check to pay off debt.

7. If there is anyone who does not fall under any of the categories listed above, they could be a victim of tax identity theft. The Identity Theft Resource Center (ITRC) is receiving calls and live chats from victims claiming their stimulus checks were intercepted. According to the Treasury Inspector General for Tax Administration, the agency has already begun to see scammers pose as the IRS to get personal information from payment receipts they can use to steal money. While the IRS Criminal Investigation Unit is doing what they can to combat the problem, they have seen scams that are preying on vulnerable individuals who are not sure how they will get their stimulus check payment.

To avoid falling victim to tax identity theft due to the stimulus check, consumers are urged to not respond to any messages they receive that they are not expecting. Instead, they should contact the company, organization, or entity directly to verify the validity of the message. Also, it is important for people to stay informed about what is happening. The IRS will not contact anyone asking for personal information. If someone receives a phone call, email or text message claiming to be the IRS, it is probably a scam.

If anyone thinks their stimulus check landed in the hands of a thief, they can visit to get started on a personal recovery plan.

If someone believes they are a victim of tax identity theft, they can live chat with an ITRC expert advisor. They can also call toll-free at 888.400.5530. Callers are encouraged to leave a message due to advisors working remotely. However, they will return calls as quickly as they can.

You might also like…




It is more important than ever that consumers use strong security questions with strong security answers on their online accounts. With most people home due to the COVID-19 pandemic, more consumers are required to shop online to do their food and household purchasing. That means a lot of online accounts have been and will continue to be created. One common step in creating an online account is picking a security question in case the creator of the account cannot remember their password. It is meant to be another layer of security for the authentication process.

While this alternative way of identifying customers can be very useful, it could also put more personal information at risk of compromise should the company fall victim to a data breach. For example, if someone selected “What are the last four digits of your Social Security number?” as their security question and provided that credential as the answer and the company’s online user database was breached, hackers could have that piece of personal information to use to flesh out more details of the person’s identity credentials.

However, there are things people can do to keep themselves safe while using strong security questions as another form of authentication.

When creating an answer to a security question, the response doesn’t have to be the exact answer. In fact, the Identity Theft Resource Center would encourage people that are signing up for online shopping, and other non-sensitive online accounts, to provide alternative answers. Doing so creates a strong security answer because it would be nearly impossible for anyone to research or guess. For example, if “What is my mother’s maiden name?” was selected as a security question, using an alternative like their mother’s nickname or some other name doesn’t give away a very valuable component of your security question. The answer should be stored in a password manager or on a piece of paper that is securely locked away.

With that said, creating alternative answers to security questions should only apply when someone is creating an account for a business or institution that doesn’t require highly sensitive information to verify their identity. If someone was creating security questions and answers for an account with a bank, lending institution or medical provider that uses that information to authenticate the user’s identity, they would want to provide accurate answers because the answers could be used to verify identity.

Some other tips to keep in mind while trying to pick strong security questions include:

  • Select a security question that cannot be guessed or researched over the internet, social media profiles, etc.
  • Select a security question that will not have to be changed over time
  • Select a security question that is easy to answer, but not obvious to others or easily researched
  • Select a security question with a precise answer that does not create confusion

Users should make sure they are selecting strong security questions that will keep them safe. They should not be afraid to use alternatives for the answer if it will protect identity credentials. People should also make sure their answers are as strong as their passwords. People can do their part to protect themselves and shop online for all the things they need to get through the COVID-19 pandemic, and beyond.

For more information about protecting your online accounts, contact the Identity Theft Resource Center to live chat with an expert advisor or call toll-free at 888.400.5530.

You might also like…


Schools, businesses and individuals are making drastic changes right now due to concerns surrounding COVID-19. Some of the protective measures, such as social distancing and self-isolation, translate to technology picking up the slack to keep businesses and education moving forward. However, that is leading to privacy issues particularly around kids using technology not originally intended to be utilized in the new manner many have taken to using some platforms.

One platform stepping in to fill the need is Zoom, a videoconferencing tool that allows users to talk, video chat, instant message and even screen-share in real-time. This long-time business tool is now being used for everything from online classes to social get-togethers, but malicious users have already figured out how to crash virtual meetings.

A new practice, known as “zoom-bombing,” happens when an uninvited user works their way into a user’s Zoom session and causes a disruption. Reports so far have included “bombers” dropping in and writing racial slurs across the screen, posting pornographic images for all the viewers to see and more.

Zoom was created to allow businesses to communicate quickly, effectively and on-the-go. Because of that, creating an account was set up to be very simple and does not require much authentication. Now that more people are using the platform, including teachers for grades K-12, and finding creative uses for this tool, the concern about privacy, and especially that of children, is even more real.

In fact, some Zoom conferences hosting children have already been compromised. Recently a Zoom conference with students from the Orange County Public School System in Florida was disrupted after an uninvited guest exploited himself to the class. In Boston, a group of students shared inappropriate content.

Zoom is working on a fix that will help stop intrusions and increase security, particularly child privacy, making it important that users download any updates issued by Zoom. Before using the platform, users can also take precautions by changing the default security settings. That includes updating the use of a password to enter the conference, using the “waiting room” feature to screen participants and only allowing authenticated users to join the meeting.

Users can also be more aware of how they are engaging with other people with their Zoom accounts. Ultimately, the platform relies on each user making smart decisions about how they are sharing their meeting rooms. Some child privacy aspects to consider:

  • Making sure to not share meeting invites with others on public profiles, such as inviting others to attend on social media
  • Teachers hosting Zoom meetings are encouraged to change the platform’s default settings before each session

This is an important reminder that this type of technology, especially platforms that function online and are accessible by other users, can have serious privacy ramifications. As many public schools and activity groups are now using Zoom to interact with children, it is even more important that users understand how to protect themselves. Parents should make it a habit to remain nearby while their children are on Zoom in order to end the session immediately if something unexpected takes place.

To increase child privacy, parents are encouraged to talk to their kids about proper online conduct before any virtual meeting. It is also recommended that if someone’s child is going to interact with other children on Zoom, parents should remind their kids that the same rules that apply in the classroom – or other in-person meetings – apply on Zoom.

If people have questions regarding their privacy on social media or accounts, they can live chat with an expert ITRC advisor at no-cost.

You might also like…

Financial Database Leak Leads to Over 500,000 Documents Exposed Online

Canon Data Breach Leads to General Electric (GE) Employee Information Being Exposed

COVID-19 Romance Scams Begin to Make the Rounds

Two financial companies that appear to be connected were the apparent leakers of a financial database leak of important client and employee data. The database was linked to the MCA Wizard app, which was created by Argus and Advantage. According to vpnMentor, who discovered the unsecured information online, Argus and Advantage had stored more than 500,000 sensitive documents—many of them financial records or personally identifiable information—in an Amazon Web Services S3 storage bucket. These cloud-based servers allow companies to store data off-site and access it remotely. However, as many other companies have learned, the security protocols are not automatic. That means the S3 bucket is not automatically password protected or requires other security steps.

The information that the security researchers discovered from the financial database leak contained a wide variety of uploaded documents. Credit reports, driver’s licenses, tax returns, bank account information and access, Social Security information and much more was included in the database, which was discovered in December of 2019. Since the date of the discovered financial database leak, the researchers saw new information added to the compromised database.

Attempts to reach the companies were also unsuccessful. VpnMentor was unable to find contact information for one of them, and emails to the other company came back as undeliverable. The only recourse was to contact Amazon Web Services, who was eventually able to take down the database.

There has been no word yet on data breach letters being issued due to the financial database leak or if any malicious hackers accessed the database before it was taken down. Potentially, anyone who thought to look for it was able to access the entire cache of information, which is how the researchers discovered it. In the meantime, there are steps that consumers can take if they are concerned that they have done business with these companies or their information might have been included in the compromised database.

  1. Victims should place a freeze on their credit report with the three major reporting agencies.
  2. People should sign up for alerts from their financial institution that will notify them of activity on their accounts.
  3. It would be encouraged for people to change the passwords on any sensitive accounts.
  4. Victims should enable two-factor authentication on important accounts.
  5. People should monitor their accounts closely for signs of unusual activity and report those incidences if they see anything suspicious.

If someone believes they are a victim of either the Advantage or Argus financial database leak, they are encouraged to contact the Identity Theft Resource Center through the website to live chat with an expert advisor. For those that cannot access the website, they can call the toll-free hotline (888.400.5530) and leave a message for an advisor. While the advisors are working remotely, there may be a delay in responding but someone will assist victims as quickly as possible.

You might also like…

New Marriott Breach Affects Over Five Million Guests

Covid-19 Romance Scams Begin to Make the Rounds

Are you an IRS non-filer? Tips to Avoid a Stimulus Check Identity Scam

There are many different ways a person’s information can be stolen in a data breach. General Electric (GE), one of the largest electronics companies in the world, announced that it had information of current and previous employees’ exposed through a Canon data breach.

On February 28, 2020, GE was notified that there was a third-party data breach affecting their employees’ sensitive information. The third-party provider, Canon Business Process Services, suffered an email breach of one of its employee’s email accounts. The account, which is believed to have been accessed sometime between February 3 and February 14, led to secure documents that more than 280,000 employees had uploaded to GE during the course of their employment.

These documents provided personally identifiable information (PII), including Social Security numbers, passport numbers, driver’s license numbers, bank account numbers for direct deposit and more. Information on the employees’ beneficiaries was also compromised.

Canon is providing coverage for GE employees who were impacted by the Canon data breach , including two years of identity protection and credit monitoring. Victims of the Canon data breach will be notified by letter and have until June 30, 2020, to take advantage of the services that are being offered.

In the Canon data breach or any data breach event, the notification letter is a very important part of the process. It informs the recipients of what incident occurred, what information is believed to have been stolen, what steps the victims can take to protect themselves and any support that is being provided to protect the victims. The letter itself serves as more than just a notification; in the event the identity thieves use the victims’ information in a criminal way, it can also provide some proof that the victims’ information was actually stolen. If someone believes they are a victim of the Canon data breach that affected GE, the Identity Theft Resource Center is standing by to provide information and resources, and to help victims create an action plan tailored to their needs. Victims are encouraged to live chat with an expert advisor or to call toll-free at 888.400.5530. If victims call, they will have to leave a message due to advisors working remotely. However, advisors will work to return calls as soon as possible.

 You might also like…




While people continue to take protective measures in order to avoid COVID-19, some groups are actively working harder. It’s not just the essential workers, healthcare workers or first responders. Unfortunately, scammers are also putting in overtime to take advantage of the current situation.

Recent reports of quarantine-based scams have included unemployment benefits identity theft, IRS stimulus check scams, and now dating app scams and COVID-19 romance scams. While these have always been a known threat, newsworthy events like the COVID-19 pandemic often lead to an increase in scam activity. Scammers are increasing the amount of romance scams with more people on dating apps due to isolation. Also, scammers are changing their stories to include COVID-19. Fortunately, while the other virus-related scams may be hard to spot due to the fact that they are based on actual current events, avoiding a COVID-19 romance scam might be a little bit easier.

It is important that consumers know the signs:

  1. A plausible reason why the person is reaching out to strangers. Even before the virus, the reason usually had to do with boredom and isolation, which are abundant right now.
  2. A job or location that prevents them from communicating on a regular basis. Again, before the virus, those jobs often included occupations like off-shore oil rig worker, deep-sea fishing boat captain or deployed soldier. Due to COVID-19, it is just as easy to blame the virus, especially if the person claims to be a hospital worker, medic or another essential employee.
  3. A sympathetic story. While a lonely, deployed soldier story is prone to tug at the victim’s heartstrings, an EMT, nurse or doctor who just needs someone to talk to as they attempt to process the horrors of frontline medical work could be viewed as a more sympathetic story.
  4. The request for money. The sympathy mentioned above goes directly into the request for funds. Right now there are probably a lot of people who would help a nurse or medic purchase masks and gloves, and who has not heard the reports of price gouging and scarcity. If the scammer poses as an out-of-work employee, a victim might help a single parent buy groceries for their child.
  5. The cat-and-mouse game. Romance scams are a vicious cycle of flattery and compliments combined with plausible requests for money. Following through with the money earns the victim even more of the attention they crave. Hesitating or refusing earns them the silent treatment.

In order for consumers to protect themselves from COVID-19 romance scams and other scams, consumers have to be aware of the threat and spot the telltale signs. Romance scams rely on a formulaic model, namely an individual who reaches out on social media, via text message or some other electronic method. They begin a lengthy, personal conversation, one that contains an extremely high, frequent amount of discussion. Within days, they begin making statements such as, “I’ve never felt this way about anyone,” or “I know this is sudden, but I can really see us having a future together.”

Within a short period of “grooming” the victim with promises of visits and even marriage, the story crops up. One example could be a story about a terrible incident that has occurred and the scammer even has the funds to fix it, but they cannot access their money in time to fix the issue. The scammer may ask the victim to pay the money with the promise that they will be paid back immediately. From there, more requests for money could follow, even as the scammer continues to string along victims with promises of long-term relationships.

Remember, there is no plausible excuse why someone would need to reach out for money from someone they have not met in person. People should protect themselves from these and other scams by learning to spot the warning signs and distancing themselves if any red flags appear. If anyone believes they are a victim of a COVID-19 romance scam, they can contact the Identity Theft Resource Center to live chat with an expert advisor. If they do not have internet access, they can call toll-free at 888.400.5530. They will have to leave a message due to advisors working remotely. However, advisors will work to return calls as quickly as possible

You might also like…




The Treasury Department and the IRS continue towards getting consumers their stimulus checks due to the COVID-19 pandemic. With the distribution of stimulus checks underway, non-filers are now able to get their stimulus payments sooner thanks in part to an online tool that was created to help consumers that aren’t required to file tax returns. However, it is important non-filers know the proper steps to take to protect their personal data and information so they don’t fall for a stimulus check scam.

First, non-filers should go directly to the IRS website, Always start at the most trusted source.

Second, non-filers should click the tab that says “Non-Filers: Enter Payment Info Here.” If consumers do not see this tab on the front page, they are not on the right page.

Image of

Consumers should proceed to click on the “Non-Filers” tab. Once they click on the tab, it should take them to a page that has information on the “Economic Impact Payment” and additional information on what consumers need to provide and what they should expect. The next step is to, once again, click on the tab titled “Non-Filers: Enter Payment Info Here” that can be found in the middle of the page.

Image of

Once the tab is clicked on, visitors will be redirected to The redirect could feel like a scam. However, if the homepage looks like the one below, consumers are at the right place. (The ITRC has verified that this is a valid redirect)

Image of

From there all people have to do is hit “Get Started” to begin. Once a profile is created, non-filers will be asked for personal information like their Social Security number, address, dependents and direct deposit information. In this case, it is okay for consumers to provide sensitive information.

However, if anyone receives emails, text messages or phone calls about non-filers filing for a stimulus check, they should ignore it because it is probably a stimulus check scam. People should be going directly to the source, in this case, the IRS, to complete the process.

Since the stimulus package was merely a thought, scammers have increased their efforts around stimulus check scams. It is important for people to never give out personal information over the phone or to anyone they do not know personally. Also, it is important to know the facts. The IRS will not call anyone.

If people have questions regarding non-filers or stimulus check scams, they can live chat with an expert ITRC advisor. For those that cannot access the website, they can call the toll-free hotline (888.400.5530) and leave a message for an advisor. While the advisors are working remotely, there may be a delay in responding but someone will assist you as quickly as possible.

You might also be interested in…

*Last updated June 23, 2020

Right now is a very difficult time for a lot of individuals as concerns around the COVID-19 pandemic continue to be at the top of people’s minds. In addition to the inconvenience of social distancing and isolation and the very real fears for personal health and safety, many people are also facing the stress of reduced hours at work, being furloughed or losing their jobs due to quarantine, and business closures.

There is another equally upsetting issue at hand: unemployment benefits identity theft. A record-setting *36 million people in the U.S. filed for unemployment due to COVID-19. The identity thieves are believed to be just as busy with the filing, too. Some victims have already contacted the Identity Theft Resource Center over complaints of unemployment benefits identity theft.

Unemployment benefits identity theft is nothing new. In fact, it is one of many types of government identity theft that can occur when a scammer uses stolen personally identifiable information to apply for benefits through the government. However, with so many consumers filing at the same time, an unfortunate number of people have already reported that a scammer beat them to it. Their claims have been rejected for being duplicate applications while someone else is now set up to receive their benefits.

Like many forms of identity theft, unemployment benefits identity theft is one that victims may not discover until the damage is done. If a claim is turned down for unemployment benefits due to a duplicate application, it is important for people to contact the unemployment agency immediately; the Identity Theft Resource Center is another resource to guide victims in this challenge (888.400.5530). In the meantime, there are other ways consumers should take action if their claims are rejected:

Place a freeze on your credit report if it’s feasible.

Victims might need to open a new line of credit while they are out of work, but that shouldn’t stop them from placing a freeze. Thawing a credit freeze is extremely simple and quick. This can help block an identity thief who may have their personally identifiable information (since they applied for unemployment benefits in their name) from using it for other purposes.

Monitor accounts carefully.

Once again, if a thief has enough information to apply for benefits, they could have access to other information or accounts. Consumers should keep a careful watch on all of their accounts, including their credit reports, and change any online passwords.

Be aware that applying for unemployment is only one step.

An identity thief may also fraudulently apply for nutrition assistance, WIC, medical coverage or other benefits. If there are any issues involving those services and someone’s identity, people should contact those agencies immediately.

It is a stressful time for many, and scammers are looking to add to it many different ways, including by unemployment benefits identity theft. It’s also exceptionally difficult given the volume of calls and reduction in services from organizations that a victim needs to contact.

However, the ITRC is here for anyone who falls victim to government identity theft. Victims can also live-chat with an expert advisor or download the ID Theft Help App that will allow them to track their steps in a case log, and get on-the-go assistance.