On Wednesday, the Federal Trade Commission settled a case with Onixiz, the owners of i-Dressup, an online flash game website dedicated to dressing up virtual dolls and designing clothes. According to the complaint, the website violated the Children’s Online Privacy Protection Act (COPPA) and risked its young users’ data security.

i-Dressup operated pretty much like any flash game website you remember from the early 2000s. It featured timeless classics like “Sexed-Up Style,” “Floral Hats,” and the “Feminine Ruffle,” some of which you are still able to play on other dress-up sites that have apparently ripped the games and republished them.

COPPA requires companies that provide online services or targeted to children under 13 to maintain specific privacy standards, like receiving parental consent and providing “reasonable” data security for its young users. The FTC complaint claims that i-Dressup failed the test for compliance on both of those fronts.

The data security problems were particularly pronounced. In 2016, Ars Technica reported that the site exposed the passwords belonging to more than 5.5 million user accounts in plaintext and a hacker was able to download millions of credentials by using a SQL injection attack, which exploited vulnerabilities in i-Dressup’s security infrastructure, or lack thereof. According to the press release, about 245,000 of those users were under 13 years of age.

It wasn’t until 2018 that the website was finally forced offline by the New Jersey Department of Consumer Affairs as a response to the 2016 data breach. In a statement at the time, New Jersey Attorney General Gurbir S. Grewal said, “Children are extremely vulnerable on the internet and we must do all we can to protect them from being exploited by advertisers or tracked by internet predators.” Who these predators were is unclear, but they certainly weren’t addressed in the FTC’s press release this week.

In the comments of posts on the website’s Facebook page “i-Dressup.com Dress up games for people who love fashion,” reactions to the website’s removal included one user writing, “I cannot open i-dressup.Its showing SQL ERROR…why?? I am scared.” Others said, “,this was my favorite game in the world.i just cant belive it was hacked” and “I can’t play the game.”

In order to settle the case for the COPPA violations, i-Dressup’s owners will pay out $35,000 in civil penalties, which will go to the US Treasury. According to the FTC, i-Dressup’s owners are “prohibited from violating COPPA in the future, and can’t sell, share, or collect any personal information until they implement a comprehensive data security program and get independent biennial assessments.” It’ll also be required to submit annual compliance certificates to the agency in the future as well.

No word from i-Dressup on whether it’ll relaunch in the future.

https://www.theverge.com/2019/4/27/18518619/i-dress-up-virtual-website-ftc-data-breach