Some 46 million records stolen from children’s gaming service Animal Jam have found its way onto the dark web following a hack of the company in October.

Animal Jam is a popular online virtual world created by WildWorks Inc. with more than 130 million users catering to children between the ages of four and eight. The site has a zoo theme featuring mini-games, puzzles, adventures, parties and social interactions.

The hack and subsequent theft of data was confirmed on the Animal Jam site in a statement. WildWorks describes the theft as involving a database containing some Animal Jam user data on the server of a vendor the company uses for intra-company communication. The data stolen included usernames, email addresses, encrypted passwords and birth dates along with in some cases the names of parents and their billing address. No financial details were stolen.

Although the passwords were encrypted, they used only SHA1 hashing. That’s an old cryptographic standard that can easily be decrypted by hackers.

WildWorks only became aware of the theft of the data after being contacted by security researchers Nov. 11. The hack and data theft is believed to have occurred Oct. 10-12.

Where the story takes an unexpected twist is how the hack is believed to have taken place. WildWorks Chief Executive Officer Clary Stacy told Bleeping Computer that he believes those behind the hack obtained WildWork’s Amazon Web Services Inc. key after compromising the company’s Slack sever.

“The exposure of 46 million Animal Jam user records further validates that no personal data is safe, even on an innocent online game website,” Robert Prigge, CEO of identity verification company Jumio Corp., told SiliconANGLE. “As children’s education and activities have rapidly shifted online amid the COVID-19 pandemic, it’s likely children are using the same usernames and passwords across multiple applications and online accounts, meaning this exposure allows hackers to gain access to more than just Animal Jam.”

Chloé Messdaghi, vice president of strategy at cybersecurity intelligence firm Point3 Security Inc., noted that it’s never appropriate to target kids’ data and the services that make this available need to be stopped.

“A lot of companies use communications apps such as Slack without two-factor authentication, which seems to be the case with Animal Jam,” Messdaghi added. “Instead, companies assume they’re not targets, or mistakenly believe that using a password that’s too short is sufficient. This just underscores that any shared service — GitHub, Citrix, whatever – needs to be protected with multifactor authentication apps or preferably a token, and it underscores just how important password managers are.”

Image: Animal Jam