Canadian toymaker Ganz, owner and developer of the popular Webkinz platform for children, recently announced that a malicious, unauthorized actor had accessed 23 million usernames and passwords as part of the Webkinz data breach. The credentials accessed were the users’ platform account data, the majority of which are routinely accessed by young Webkinz users.

Webkinz is an online and app-based platform in which users “adopt” a virtual pet after buying its plush counterpart. The plush’s code is entered into the user’s account and the user can play with his/her pet online. The platform also features an arcade section with both entertainment-based and educational games that let the players earn virtual money to take care of their pets, design homes for them and more. One feature of the platform allows users to send pre-selected, approved phrases to each other and compete against one other in certain challenges. No information is shared or exchanged in those interactions.

The company’s statement indicated that usernames and hashed passwords (passwords that are a scrambled representation of themselves) were the only information accessed, but that does not mean there isn’t cause for concern. Hashed passwords can still be unencrypted if hackers have the means to do so. Reused passwords, or passwords that account holders use on multiple websites—especially in conjunction with the same email address that was used to create the account—can lead to the takeover of other accounts once hackers have compromised the first one.

While reusing passwords is convenient, it is more important now than ever that passwords are strong enough to withstand automated software that can make many password attempts per second, and that passwords are not used on more than one website or account.

The Webkinz parent company Ganz issued a statement on its website, notifying users of the incident. They recently launched a forced reset in response to the matter, but also recommend that users change their passwords on any other accounts where they may have used these same login credentials. A strong reminder for Webkinz users, especially those who used the platform as children but are now adults, that may be utilizing the same email/password combination.

It is not yet known whether or not the data compromised in the Webkinz breach is archived or active account information. However, in the company’s statement, they said they have not and do not collect more sensitive information.

The Webkinz data breach also highlights the importance of parents doing what they can to reduce their children’s risks online. Parents should make sure their kids are not oversharing information, teach them how to keep their information safe and talk to them about good internet behavior. If kids know how to spot a fake message online, to not click any links they do not recognize and limit the amount of information they share on their social media profiles, they will reduce their risk of falling victim to child identity theft.

If anyone believes they have fallen victim to identity theft, or have had their information exposed in the Webkinz breach, they can call the Identity Theft Resource Center toll-free at 888.400.5530 or live chat with an expert advisor on the next steps to take.

You might also like…