Hong Kong-based VTech, a company best known for making electronic educational toys, experienced a massive breach which affected user accounts worldwide. The company has “temporarily suspended” its Learning Lodge store, which offers apps, music, e-books, and games for children, after its database was compromised.
The hacker contacted Motherboard, which reported the leaked data included 4.8 million records with parents’ names, home addresses, email addresses and passwords. There were over 200,000 records for children, including their “first names, genders and birthdays.”
Motherboard contacted security expert Troy Hunt, who maintains the site Have I Been Pwned; Hunt analyzed the data and found 4,833,678 unique email addresses and the users’ hashed passwords which are easy to break. The secret questions used to recover accounts and passwords were stored in plaintext.
We may hear about breaches so often that we are desensitized, but according to Hunt:
“When it’s hundreds of thousands of children including their names, genders and birthdates, that’s off the charts. When it includes their parents as well – along with their home address – and you can link the two and emphatically say ‘Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question)’, I start to run out of superlatives to even describe how bad that is.”
On Black Friday, VTech announced that “an unauthorized party accessed VTech customer data,” which was stored in the company’s Learning Lodge app store; the breach occurred on Nov. 14 and VTech learned of the breach on Nov. 24 after being contacted by Motherboard. An updated VTech statement added:
Our customer database contains user profile information including name, email address, password, secret question and answer for password retrieval, IP address, mailing address and download history. In addition the database also stores kids information including name, genders and birthdates. In total about 5 million customer accounts and related kids profiles worldwide are affected.
The person responsible for the breach claimed to have no intention of doing anything with the data. The hacker told Motherboard that he or she gained access to VTech’s database via SQL injection.
Surrey University cybersecurity expert Professor Alan Woodward told the BBC, “If that is the case then it really is unforgivable - it is such an old attack that any standard security testing should look for it.”
Regarding VTech’s failure to follow best practices and properly secure its database, Larry Salibra, founder of crowd-sourced bug-testing platform Pay4Bugs, told Reuters, “This seems to be a trend. Hardware manufacturers really don't value software skills - I would imagine because they don't see any immediate positive impact to their bottom line. Software talent is an easy place to be cheap with minimal consequences until something like this happens.”
VTech said it had emailed every account holder to notify them about the breach.
Hunt is really disappointed in VTech’s “total lack of care” in securing its data. The nearly five million email addresses have been added to Have I Been Pwned. Hunt added, “The children aren’t, but I suspect this will be the first of many times their data will be breached, dumped and traded online.”