The popular children’s website Webkinz suffered a massive data breach earlier this month that saw about 23 million user login credentials exposed on a dark web forum.

The data was spotted by Under the Breach which found 1GB of data containing usernames and encrypted passwords, according to ZDNet. Reportedly, the attackers exploited a SQL injection vulnerability found in a Webkinz form

On April 19 a  Webkinz tweet referenced the attack but did not categorically say whether or not it actually happened.

Even though some of the compromised details are encrypted Irfahn Khimji, country manager, Canada for Tripwire, said the information may still prove dangerous.

“It is paramount that the involved parties take all the necessary steps to mitigate the consequences of this incident, which include changing all their passwords, especially if they were used on accounts other than Webkinz, and even if Webkinz itself hasn’t yet issued a forced password change for its users,” he said.

SC Media has emailed Webkinz parent company Ganz for further information but has not yet received a response.