Passwords — Animal Jam Data Breach

The severity of storing plain text passwords did not go unnoticed by the legal system. A class action lawsuit was filed against WildWorks in the United States District Court for the District of Wyoming (Case 2:21-cv-00090).

The plaintiffs alleged:

The lawsuit highlighted that WildWorks had been warned by security researchers years prior about their poor password storage but failed to act due to "legacy code" issues. The outcome of the litigation resulted in undisclosed settlement costs, but the reputational damage was permanent. Animal Jam Data Breach Passwords

Animal Jam supports 2FA via email or authenticator apps. Enable it immediately. This is the single most effective way to block unauthorized logins, even if attackers have your password.

The content of the passwords themselves makes this breach distinct from LinkedIn or Yahoo breaches. The severity of storing plain text passwords did

Predictability and Patterns: The user base of Animal Jam is primarily children aged 7–12. Children generally do not practice good password hygiene.

This creates a "lowest common denominator" vulnerability. Even if a parent secures their home network, if a child uses a weak password like "cooldude2008" and it is cracked, the attacker now has a valid credential pair (email + password) to test against Google, Apple, or other gaming platforms. The lawsuit highlighted that WildWorks had been warned

Here’s where the real danger lies. Most people reuse passwords across multiple sites. If a child’s Animal Jam password was “CookieMonster12” and their parent uses the same password for Amazon, PayPal, or their work email, the attacker will try that combination on every major platform automatically.

Credential stuffing bots can run through millions of username/password pairs in minutes. A single exposed Animal Jam password can lead to: