i-Dressup, an online dress-up and casual gaming website operated by Unixiz, Inc. and directed primarily at children, suffered a data breach in mid-2016 when an attacker exploited what the U.S. Federal Trade Commission later described as commonly known and reasonably foreseeable vulnerabilities. The attacker accessed the personal information of approximately 2.1 million users, including approximately 245,000 users who had indicated on registration that they were under 13 years of age. The attacker contacted i-Dressup with a warning that went unheeded and subsequently sent the breach data to journalists. i-Dressup discovered the intrusion in September 2016. The breach was redistributed as part of a larger corpus of data and was indexed by Have I Been Pwned and DataBreach.com on January 28-29, 2025.

The breach affected approximately 2.1 million to 2.2 million users based on records indexed by breach-tracking services. Compromised fields included email addresses, usernames, dates of birth, and passwords. Critically, i-Dressup stored and transmitted user passwords in plaintext rather than as hashed values, exposing the original credentials directly. The FTC also documented that i-Dressup failed to perform vulnerability testing of its network even for well-known threats such as SQL injection, did not implement intrusion detection or prevention systems, and did not monitor for security incidents.

For affected users and the parents and guardians of the approximately 245,000 affected children under 13, the practical risk profile combines credential-reuse exposure with significant child-safety concerns. Because i-Dressup stored passwords in plaintext, any account where the user reused the same password was immediately compromised, with credential-stuffing risks expected on email, gaming, and other accounts. Date of birth and email exposure for minors raises additional risks because child personal information has long-tail value for identity fraud that can go undetected for years until the child applies for credit, financial accounts, or employment as a young adult. Parents and guardians should freeze credit at all three U.S. bureaus for any minor children whose data may have been exposed, change any reused passwords for the child or their family members, and remain alert to phishing or social-engineering attempts referencing children's gaming accounts. Because i-Dressup is no longer operating, affected individuals will not receive direct notification and should treat any credentials that may have been used on the platform as fully compromised across all uses.

Children’s casual gaming platforms collect user accounts, usernames, emails, device data, gameplay activity, and in some cases profile details tied to browser-based play.

i-Dressup is no longer operating. Following the 2016 breach disclosure and a New Jersey Department of Consumer Affairs action that took the site offline, the U.S. Federal Trade Commission and the U.S. Department of Justice filed a 2019 complaint against Unixiz, Inc., CEO Zhijun Liu, and Secretary Xichen Zhang for violations of the Children's Online Privacy Protection Act. The FTC settled the case in April 2019, with the defendants agreeing to pay a $35,000 civil penalty and accepting a permanent prohibition against violating COPPA in the future. The settlement also bars the defendants from collecting, selling, or sharing personal information until they implement a comprehensive data security program with biennial independent assessments. The case has been widely cited as a leading example of FTC enforcement combining COPPA parental-consent violations with data-security failures and as illustrating the regulatory consequences of inadequate child-data protection.