Quebec Bans Popular School App After Data Leak Exposes Student Info

The Quebec government has instructed schools and daycares across the province to immediately stop using the HopHop app, following serious cybersecurity issues revealed in a Radio-Canada investigation.

According to officials, the province’s Ministry of Cybersecurity and Digital Technology contacted both the Education and Family ministries after discovering personal information from parents and children was at risk. The ministry’s chief information security officer recommended a temporary suspension of the app’s use “until further notice.”

The company behind HopHop — which has been in use since 2016 and is used by at least 500 schools and daycare centres — has already blocked access to its servers and says it is working to fix the vulnerability.

Education Minister Sonia LeBel said the move is a reminder that digital tools used in schools and childcare settings must meet security standards. “It’s important for all of us, as citizens, parents, and institutions, to remember that the apps we use can present certain security risks,” she said. Way to gaslight parents and deflect any responsibility, LeBel.

Family Minister Kateri Champagne Jourdain confirmed that her department will issue a notice to childcare providers advising them to stop using the app as well.

The province had reportedly been aware of potential security flaws for about two weeks. Two cybersecurity experts, who are also parents, discovered they could access private data — including names, photos, emails, and phone numbers — and even use a feature that alerts schools when parents are on their way to pick up their children. Talk about a major SNAFU.

HopHop is made by Bleu-K Inc., which is based in Laval, Quebec. Their privacy policy states that their servers and databases are located in the Montréal region.

Emails from HopHop to registered users explained what they have done so far:

An article from Radio-Canada published on Tuesday, October 7th, mentions that a cybersecurity expert managed to access information contained in our database. We’ve initiated the procedure to temporarily suspend access to our servers and our application as a preventative measure. We are currently in discussions with the Ministry of Cybersecurity and Digital Affairs to collaborate with them in order to correct the identified vulnerability.

The incident occurred between October 3rd and 7th, 2025. The vulnerability was identified for the following user data: last name, first name, photo, phone number, email, names and first names of their children, child’s photo (if the user had uploaded one), as well as the name of the school attended by the children. No data breach has been brought to our attention. However, as a precautionary measure, we recommend that you activate multi-factor authentication (if you haven’t already) linked to the email you used with us.

Please be assured that we are taking this situation very seriously and are working tirelessly to resolve it. Our goal has always been to provide you with an application that is both secure and practical. We are doing everything we can to restore this security.

Both ministers stressed that schools and daycares are responsible for ensuring the apps they use meet privacy and safety requirements, but the government will provide support if needed.