Hacker downloads 2.2 million PLAINTEXT passwords from teen social site

And there’s another 3.3 million waiting to be picked off…

David bisson
David Bisson


An unknown hacker has downloaded 2.2 million passwords from a teen social site. To make matters worse, all of the passwords are in plaintext format.

Ars Technica first learned of the breach when the hacker reached out to it and breach notification service Have I Been Pwned?

In the correspondence that followed, the hacker provided both outlets with 2.2 million plaintext passwords they had acquired from i-Dressup, a website which offers fashion-themed games for teens.

Sign up to our free newsletter.
Security news, advice, and tips.

Ars Technica and security researcher Troy Hunt both confirmed the legitimacy of the data dump by verifying that many of the email addresses were indeed registered on i-Dressup.

According to the hacker, it took them just three weeks to exploit vulnerabilities on i-Dressup’s website using an SQL injection attack, allowing them to gain access to the password database.

But the breach doesn’t end there, unfortunately. The hacker went on to state it would be trivial for them or another attacker to make off with the entire database of 5.5 million plaintext passwords.

Concerned for those remaining 3.3 million users, Ars Technica reached out to i-Dressup, but to no avail. As Ars Technica writer Dan Goodin explains:

“Operators of i-Dressup didn’t respond to messages sent by Ars informing them that a hacker has already downloaded more than 2.2 million of the improperly stored account credentials…. Ars … used the contact us page on i-Dressup to privately notify operators of the vulnerability, but more than five days later, no one has responded and the bug remains unfixed.”


Nothing says “secure site” more than the chirping of crickets.

The sound of silence is also prevalent on the website’s social media, though as the below screenshot demonstrates, some users are aware of the breach enough to post something to the company’s official Facebook page:

Screen shot 2016 09 28 at 10.18.04 am

Unfortunately, until i-Dressup patches the vulnerability, actors can continually compromise users’ plaintext passwords and gain unauthorized access to their accounts. It’s up to members as to whether they want to endure that continual headache or temporarily deactivate their accounts instead. Regardless, all i-Dressup users should make sure they’re not reusing their password across other web accounts.

Now we sit and wait to see if i-Dressup takes responsibility for its users’ security….

The teen social site joins Rambler.ru and LinkedIn, both of which suffered high-profile data breaches and failed to properly protect passwords in some way.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Hacker downloads 2.2 million PLAINTEXT passwords from teen social site”

  1. Zoe

    NOO! I loved i-Dressup! I went on the website today to log in and everything was gone. I went to their facebook and people were posting links to this article and another about what happened and that's how I found out. So sad, :(

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.