Cyber Incident Victim: i-dressup.com
Date:
Sep 2016
Location:
United States of America
Summary
A teen-focused social platform suffered a significant data breach when a hacker exploited SQL injection vulnerabilities to access and download millions of user credentials, including plaintext passwords. The attacker obtained over 2.2 million account details initially, with the entire database of approximately 5.5 million records remaining exposed due to unaddressed security flaws. Independent verification confirmed the authenticity of the stolen credentials through password recovery mechanisms. Despite multiple private notifications to the site's operators about the active vulnerability, no remedial actions were taken, leaving user data continuously at risk. The breach exposed sensitive authentication information without encryption, significantly compounding potential misuse risks for affected accounts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around September 26, 2016, the teenage-focused social platform i-Dressup.com suffered a significant data exposure involving millions of user credentials stored in plaintext. A hacker exploited SQL injection vulnerabilities in the website's infrastructure over approximately three weeks, extracting 2.2 million account records containing email addresses and unprotected passwords. The attacker confirmed the database contained approximately 5.5 million entries total, with remaining records remaining accessible due to unpatched vulnerabilities. Security researchers at Ars Technica and Have I Been Pwned validated the breach by cross-referencing sample credentials through the site's password recovery function, confirming all tested accounts were legitimate registrations. Despite multiple contact attempts via i-Dressup's communication channels over five days prior to publication, the website operators failed to acknowledge or remediate the security flaw, leaving the entire user database exposed at the time of public disclosure.
The incident exposed highly sensitive authentication credentials without cryptographic protection, creating immediate risks of account hijacking and credential reuse attacks across other platforms. Forensic analysis confirmed the attacker exclusively obtained email-password pairs through automated database queries rather than intercepting traffic or compromising user devices. No evidence suggested financial data or additional personal information was accessed. The platform's predominantly teenage female user base heightened concerns about potential harassment or exploitation stemming from compromised accounts. Operational consequences included reputational damage to i-Dressup due to inadequate security practices and failure to respond to researcher notifications. The attacker voluntarily shared the stolen dataset with breach tracking services to facilitate user notifications, though the operators never publicly acknowledged the incident or implemented containment measures according to available reports.