Hundreds of schools and daycare centers in Quebec used an application that leaked sensitive information about children and their guardians, sparking parental outrage and prompting government intervention after a security researcher revealed the exposure. The app, known as HopHop and launched in 2016 to coordinate pickup times, was reportedly not on the provincial Ministry of Education’s approved tools list despite widespread adoption across the region.
Company communications to parents indicate the incident occurred between September 29 and October 7, 2025, during which time personal data stored or transmitted by the app was accessible. The compromised material reportedly included full names of children, names of parents and guardians, photos of children, photos of app users, and the name of the school each child attends. The developer temporarily suspended access to services after being alerted to the exposure.
“Someone really malicious who sees a photo of a parent, tries to look like them, and then picks the child up from school, that could happen.” — security researcher who discovered the vulnerability
Researcher Found Open Endpoint Allowing Anyone To Trigger Pickup Notifications And Download Photos
A security expert who discovered the problem said the leak originated from an unsecured content-delivery and notification endpoint that allowed external parties to view and interact with data intended only for parents and school staff. The researcher reported being able to extract sensitive information and to press the application’s “I’m on my way” button — a control that notifies schools to prepare a child for pickup.
Investigators found that the app calculated estimated arrival times either by reading a smartphone’s GPS or by accepting manual input; however, the associated backend did not enforce sufficient access controls. That lack of authentication meant that content such as parent profile photos and child images, together with notification controls, could be retrieved or acted upon without valid credentials.
Officials and parents expressed alarm at the practical implications of the flaw. The researcher warned that publicly accessible photos plus an ability to trigger pickup events could enable impersonation or physical risk to children. The developer’s privacy documentation professed strong protections for personal data, but the researcher’s findings indicated those measures were not implemented effectively on the exposed systems.
Government Advises Schools to Stop Using HopHop After Weeks of Awareness, Parents Question Delay and Transparency
Two weeks after provincial officials were reportedly made aware of security concerns, authorities began instructing daycare centers and school service providers to cease using the HopHop application. The provincial minister responsible for education and digital security emphasized that private childcare operators remain responsible for vetting and protecting personal information collected through third-party applications, and that they can request assistance from the ministry to test and validate tools.
“It remains the responsibility of the school service center to ensure that when an application is favored by a daycare, CSS, for example, that it passes the necessary test provided for by law.” — provincial minister
Parents criticized both the developer’s timing in notifying users and the apparent lag between initial warning and government action. Many families said they had relied on the app for years to streamline pickups and reduce wait times, and they expressed frustration at being informed only after the issue received media attention. Social channels saw intense backlash from users demanding clearer communication, faster remediation, and accountability from school administrators who allowed the app’s use.
Schools and daycare operators responded variably: some suspended HopHop immediately when notified, while others continued to rely on the tool until formal guidance arrived. The provincial ministry’s statement that private childcare services bear responsibility for their chosen digital tools drew ire from parents who argued that widely deployed, child-facing apps should be subject to more proactive governmental vetting and mandatory cybersecurity testing.
Reportedly, the outage and partial service suspension began after the developer received notice of the vulnerability. The company stated it was working with the Ministry of Cybersecurity and Digital Affairs to patch identified problems and to secure the affected infrastructure. The developer’s notice to parents reportedly described temporary suspension of service and collaboration with authorities to remedy weaknesses.
At this stage, the full number of affected children and the complete dataset exposed are still being confirmed. Authorities and the developer are conducting technical assessments to determine whether copies of images or notification logs were downloaded and whether any malicious actors exploited the vulnerability prior to remediation.
Privacy and security experts observing the case emphasized that the HopHop incident illustrates common failures in the procurement and oversight of third-party educational technologies: inadequate security testing, unclear governance for approved tools, and insufficient incident-notification practices. Those experts underlined the particular sensitivity of data about minors and the elevated obligations of custodians to protect that information.
Parents and guardians have been urged to monitor communications and to verify pick-up procedures at their children’s schools. Education officials recommended that schools temporarily adopt paper-based or supervised manual check-in procedures until secure alternatives are confirmed. The ministry has offered to assist school boards and daycares in evaluating applications and to establish clearer guidance for vetting digital services used in educational contexts.
Implications for School IT Governance and Child Safety
The HopHop exposure has prompted calls for stronger oversight mechanisms that require penetration testing, authenticated access controls, and explicit approvals before apps handling student data can be used in classrooms and childcare settings. Experts say that parental trust in digital coordination tools hinges on transparent vendor security practices and timely disclosure when issues arise.
The incident also raises operational questions for school administrators about vendor due diligence and ongoing monitoring of third-party systems. Many education stakeholders noted that the convenience of modern apps cannot come at the expense of baseline security, especially when those tools control processes that directly affect child safety.
As forensic reviews proceed and remediation work continues, education authorities and developers face pressure to clarify timelines for fixes, to disclose the full extent of the exposure, and to commit to stronger safeguards before such applications are permitted for use again in school and daycare environments.
