i-Dressup 2016 Data Breach

i-Dressup Children's Casual Gaming Platform Breach (2016): 2.2 Million Young Player Accounts Including Passwords Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Unknown (FTC enforcement case; SQL injection)MisconfigurationChildenEmail AddressPassword
High SeverityWebsite / service breach

i-Dressup Children's Casual Gaming Platform Breach (2016): 2.2 Million Young Player Accounts Including Passwords Exposed

Online gaming site focused on dress-up and casual games for younger audiences. Users interact through browser-based games, often with optional accounts and light personalization features.

Verified by ObscureIQ Intelligence
69/100Breach Risk Index
40Data Value
25Market Recency
453dSince Breach

Breach Intelligence Summary

Entity: i-Dressup · Actor: Unknown (FTC enforcement case; SQL injection) · Sources: 7 references
Attack: Misconfiguration
Profile: Platform · Children’s dress-up and casual games · Browser-based gaming platform · Global
Timeline: Breach (2016-07-15) · Indexed (Jan 29, 2025) · Year (2016)
Exposure: 2.2M records · 2 fields: Email Address, Password
Status: Confirmed

Executive Summary

i-Dressup, an online dress-up and casual gaming website operated by Unixiz, Inc. and directed primarily at children, suffered a data breach in mid-2016 when an attacker exploited what the U.S. Federal Trade Commission later described as commonly known and reasonably foreseeable vulnerabilities. The attacker accessed the personal information of approximately 2.1 million users, including approximately 245,000 users who had indicated on registration that they were under 13 years of age. The attacker contacted i-Dressup with a warning that went unheeded and subsequently sent the breach data to journalists. i-Dressup discovered the intrusion in September 2016. The breach was redistributed as part of a larger corpus of data and was indexed by Have I Been Pwned and DataBreach.com on January 28-29, 2025. The breach affected approximately 2.1 million to 2.2 million users based on records indexed by breach-tracking services. Compromised fields included email addresses, usernames, dates of birth, and passwords. Critically, i-Dressup stored and transmitted user passwords in plaintext rather than as hashed values, exposing the original credentials directly. The FTC also documented that i-Dressup failed to perform vulnerability testing of its network even for well-known threats such as SQL injection, did not implement intrusion detection or prevention systems, and did not monitor for security incidents. For affected users and the parents and guardians of the approximately 245,000 affected children under 13, the practical risk profile combines credential-reuse exposure with significant child-safety concerns. Because i-Dressup stored passwords in plaintext, any account where the user reused the same password was immediately compromised, with credential-stuffing risks expected on email, gaming, and other accounts. Date of birth and email exposure for minors raises additional risks because child personal information has long-tail value for identity fraud that can go undetected for years until the child applies for credit, financial accounts, or employment as a young adult. Parents and guardians should freeze credit at all three U.S. bureaus for any minor children whose data may have been exposed, change any reused passwords for the child or their family members, and remain alert to phishing or social-engineering attempts referencing children's gaming accounts. Because i-Dressup is no longer operating, affected individuals will not receive direct notification and should treat any credentials that may have been used on the platform as fully compromised across all uses.

ObscureIQ assessment: High sensitivity because children may be affected. Exposure enables account takeover, harassment, grooming-adjacent abuse, and targeting of minors or family-linked accounts.

Breach Impact

The institutional impact on i-Dressup was effectively terminal. The site was forced offline by the New Jersey Department of Consumer Affairs and ultimately shut down following the FTC settlement. Unixiz, Inc. and named officers Zhijun Liu and Xichen Zhang accepted a $35,000 civil penalty plus permanent COPPA compliance obligations. The case has been formally cited in subsequent FTC enforcement actions and in industry guidance about COPPA's data-security requirements, which had previously been less prominent than its parental-consent provisions. Reputational impact extended across the children's online gaming sector and contributed to ongoing regulatory and parental scrutiny of casual children's gaming platforms.

About i-Dressup

i-Dressup was an online dress-up and casual gaming website operated by Unixiz, Inc., headquartered in California, with CEO Zhijun Liu and Secretary Xichen Zhang as named officers. The site allowed users to play dress-up games, design clothes, and decorate virtual personal spaces, alongside social and community features that included blog posting and user-to-user communication. i-Dressup's user base was concentrated in younger audiences, with the site stating that most members were 'boys and girls between 7 and 17,' and the company was subject to the U.S. Children's Online Privacy Protection Act (COPPA). The site is now defunct, having been forced offline by the New Jersey Department of Consumer Affairs and ultimately shut down following federal enforcement action.

Why They Hold Your Data

Children’s casual gaming platforms collect user accounts, usernames, emails, device data, gameplay activity, and in some cases profile details tied to browser-based play.

Recent Developments

i-Dressup is no longer operating. Following the 2016 breach disclosure and a New Jersey Department of Consumer Affairs action that took the site offline, the U.S. Federal Trade Commission and the U.S. Department of Justice filed a 2019 complaint against Unixiz, Inc., CEO Zhijun Liu, and Secretary Xichen Zhang for violations of the Children's Online Privacy Protection Act. The FTC settled the case in April 2019, with the defendants agreeing to pay a $35,000 civil penalty and accepting a permanent prohibition against violating COPPA in the future. The settlement also bars the defendants from collecting, selling, or sharing personal information until they implement a comprehensive data security program with biennial independent assessments. The case has been widely cited as a leading example of FTC enforcement combining COPPA parental-consent violations with data-security failures and as illustrating the regulatory consequences of inadequate child-data protection.

Data Points Exposed

2 verified field types
Email Address
Password Critical

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • Targeted phishing campaigns using exposed email addresses
Threat vectors:
  • Phishing, credential stuffing & account takeover
  • Credential stuffing & account takeover

Threat Actor: Unknown (FTC enforcement case; SQL injection)

Unknown (FTC enforcement case; SQL injection)
Misconfiguration

Attribution and method are based on available breach intelligence. Reported attack vector: Misconfiguration.

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the i-Dressup breach?

i-Dressup, an online dress-up and casual gaming website operated by Unixiz, Inc. and directed primarily at children, suffered a data breach in mid-2016 when an attacker exploited what the U.S. Federal Trade Commission later described as commonly known and reasonably foreseeable vulnerabilities. The…

What data was exposed?

Verified fields include Email Address, Password.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
BreachForums_Official_Index
Independent catalogue listing
Cross-source
Keeper
Independent catalogue listing
Cross-source
LeakBase.pw
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation