Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Animal Jam Kids’ Virtual World Hit By Data Breach, Impacts 46M Accounts

Animal Jam Kids’ Virtual World Hit By Data Breach, Impacts 46M Accounts

The immensely popular children’s online playground Animal Jam has suffered a data breach impacting 46 million accounts.

Animal Jam is a virtual world created by WildWorks, where kids can play online games with other members. Geared towards children ages 7 through 11, Animal Jam has over 300 million animal avatars created by kids, with a new player registering every 1.4 seconds.

Yesterday, a threat actor shared two databases belonging to Animal Jam for free on a hacker forum that they stated were obtained by ShinyHunters, a well-known website hacker.

Partial database shared for free

The two stolen databases are titled ‘game_accounts’ and ‘users’ and contain approximately 46 million stolen user records.

As part of the free release, the threat actor shared only a partial database containing approximately 7 million user records for children/parents who signed up for the game.

Animal Jam database sample

Based on the timestamps on the sample records seen by BleepingComputer, the database was likely stolen on October 12th, 2020.

Full transparency from WildWorks

In what should be considered a model on transparent reporting of a data breach, WildWorks shared with BleepingComputer that they learned of the breach this morning and have been actively investigating it.

Also Read: Letter of Consent MOM: Getting the Details Right

WildWorks CEO Clary Stacey told BleepingComputer that he believes the threat actors obtained WildWork’s AWS key after compromising the company’s Slack server. When the breach occurred, it was quickly addressed, but they were unaware that any data was stolen at the time.

After learning today of the stolen database, their investigation revealed that the threat actors gained access to databases that contained:

  • 46 million player usernames, which are human moderated to make sure they do not contain a child’s proper name.
  • 46 million SHA1 hashed passwords. Though there are claims that 13 million passwords have been cracked, WildWorks has not been able to confirm if this true and that passwords are salted and hashed.
  • Approximately 7 million email addresses of parents whose children registered for Animal Jam accounts are included.
  • IP addresses used by the parent or player when they signed up for an account. In the samples seen by BleepingComputer, all records included an IP address.
  • 7 million email addresses that are associated with accounts.
  • 116 of these records (all from 2010) also include the parent’s name and billing address, but no other credit card info.
  • A small subset of the records may include the gender and birthdate the player entered when creating their account. Of those, most will only have the birth year. 

Though the amount of records stolen is quite large, Stacey states it is a small subset of the total number of Animal Jam users accounts registered since 2010. Animal Jam now has over 130 million registered players and 3.3 million monthly active users.

Stacey stated that they are preparing a report for the FBI Cyber Task Force and notifying all affected emails. They will also be making a public announcement that will link to a FAQ on their site.

“WildWorks is a small company, but we take player security very seriously. We are deeply concerned to learn of this breach, albeit relieved that no sensitive information such as plaintext passwords or real names of children were exposed in this theft. ” Stacey shared with BleepingComputer.

WildWorks told BleepingComputer that they would continue to be transparent about the exposed data, and if any new information is learned from their investigation, it will be disclosed.

Also Read: A Look at the Risk Assessment Form Singapore Government Requires

What should Animal Jam users do?

If you or your child is an Animal Jam user, you should immediately change the account’s password.

If that password is used at any other site, it should also be changed to a unique password.

Using unique passwords at every site you have an account prevents a data breach at one site from affecting you at other websites you use.

It is also an excellent time to introduce your child to a password manager so that they get into the habit of using unique and robust passwords at every site they use. This practice will save them a lot of headaches in the future.

As this data can be used in targeted phishing attacks targeted at children, it is also essential to monitor your kid’s accounts for suspicious email.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us