Animal Jam 2020 Data Breach

Animal Jam Children's Online Game Breach (2020): 7 Million Young Player Records Including DOB, Home Address & Passwords Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

ChildenDate of BirthEmail AddressFull NameGenderIP AddressPasswordPhysical AddressUsername
High SeverityWebsite / service breach

Animal Jam Children's Online Game Breach (2020): 7 Million Young Player Records Including DOB, Home Address & Passwords Exposed

Online multiplayer game for children.

Verified by ObscureIQ Intelligence
67/100Breach Risk Index
40Data Value
25Market Recency
469dSince Breach

Breach Intelligence Summary

Entity: Animal Jam · Actor: Unknown · Sources: 7 references
Attack: Unknown
Profile: Company · Children’s online gaming and educational entertainment · Online multiplayer game and virtual world for children · USA
Timeline: Breach (2020-10-12) · Indexed (Jan 13, 2025) · Year (2020)
Exposure: 7.1M records · 8 fields: Date of Birth, Email Address, Full Name, Gender, IP Address, Password, Physical Address, Username
Status: Confirmed

Executive Summary

WildWorks, the Utah studio behind the children's online game Animal Jam, suffered a data breach in October 2020 that exposed records tied to approximately 46 million accounts, including over 7 million unique email addresses. An attacker posted details of the breach on a hacking forum in November 2020. WildWorks confirmed the incident and identified the breach pathway as direct, though the specific method of intrusion has not been disclosed publicly. The exposed data included usernames, IP addresses, email addresses, and passwords stored as PBKDF2 hashes. For a subset of records, the breach also exposed dates of birth, physical home addresses, and parent names. Because Animal Jam is designed for children aged 7 to 12, and parents create accounts alongside their children, family data was embedded in the platform by design. That structure meant the breach reached beyond individual users to expose household-level information, including details that could be used to physically identify minors. WildWorks reset affected passwords and notified users directly. Where parental email addresses were on file, the company contacted parents as well. No payment card data was involved. A class-action complaint followed, citing failures under the Children's Online Privacy Protection Act (COPPA), the federal law governing data collection from minors. Affected families should treat any reused passwords as compromised and change them across other accounts. The combination of children's birthdates, home addresses, and parent contact details creates meaningful risk of targeted fraud, harassment, or other harm directed at families.

ObscureIQ assessment: High sensitivity because minors are involved. Exposure enables account takeover, grooming-adjacent abuse, harassment, fraud, and family-linked targeting.

Breach Impact

In November 2020 an attacker posted details of the breach on a hacking forum. WildWorks confirmed it. The company reset passwords and notified users. Where parental email addresses were on file, it contacted parents directly. No payment card data was involved. But the exposed records included children's birth dates, parent email addresses, home addresses, usernames, and IP addresses. The platform's design meant family data was part of the breach. A class-action complaint followed, citing failures under COPPA. The incident is a clear example of the specific obligations that come with building a platform for children. The data of the family comes with the data of the child.

About Animal Jam

Animal Jam is an online game for children. Players adopt animal avatars and explore a nature-themed virtual world. WildWorks, a Utah studio, runs the platform. It is designed for children aged 7 to 12 and operates under COPPA, the federal law governing data collection from minors. Parents create accounts alongside their children. That design decision matters for understanding what the breach exposed.

Why They Hold Your Data

Children’s online games collect player accounts, usernames, parental contact information, device data, gameplay activity, and payment-adjacent records tied to youth-oriented virtual worlds.

Recent Developments

Animal Jam continues to operate under WildWorks. The company has maintained the platform through content updates and seasonal events. No major organizational or ownership changes have been widely reported since the 2020 breach.

Data Points Exposed

8 verified field types
Date of Birth High
Email Address
Full Name High
Gender
IP Address
Password Critical
Physical Address High
Username

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • Identity verification bypass using name + date of birth combination
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
Threat vectors:
  • Identity verification bypass
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Profile enrichment
  • Geolocation & account flagging
  • Credential stuffing & account takeover
  • Physical stalking, mail fraud & identity verification
  • Cross-platform tracking & credential stuffing

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Animal Jam breach?

WildWorks, the Utah studio behind the children's online game Animal Jam, suffered a data breach in October 2020 that exposed records tied to approximately 46 million accounts, including over 7 million unique email addresses. An attacker posted details of the breach on a hacking forum in November…

What data was exposed?

Verified fields include Date of Birth, Email Address, Full Name, Gender, IP Address, Password, Physical Address, Username.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
DeepSearch
Independent catalogue listing
Cross-source
Dehashed
Independent catalogue listing
Cross-source
leakfind
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation