Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

5 Million Parents, Kids Hit by VTech Data Breach

VTech hacked

Hackers managed to steal the personal details of nearly 5 million parents and more than 200,000 children from the systems of Chinese educational toy manufacturer VTech.

VTech hacked

Hackers managed to steal the personal details of nearly 5 million parents and more than 200,000 children from the systems of Chinese educational toy manufacturer VTech.

The breach occurred on November 14, but the company only learned of it on November 24 after being contacted by a Vice Motherboard reporter who obtained the stolen information from the hackers.

In a statement posted on its website over the weekend, VTech said the attackers gained access to Learning Lodge, a website where customers can download applications, e-books, learning games and other content for their VTech products. The company has admitted that the personal details of roughly 5 million customers have been compromised, including names, email addresses, mailing addresses, secret questions and answers, IP addresses, and download histories.

Worryingly, profiles created by parents for their kids, which include information such as name, gender and date of birth, have also been exposed.

The company has pointed out that it does not store credit and debit card information, social security numbers or driver’s license numbers. The incident affects people in many countries, including the United States, Canada, France, Germany, the Netherlands, Spain, the UK, Australia, and China.

The leaked data was also analyzed by Troy Hunt, an Australian security expert who maintains Have I Been Pwned (HIBP), a service that allows users to check if their details have been exposed in major data breaches. Hunt identified 4,833,678 unique accounts set up by parents, and 227,622 profiles created for kids.

The expert has highlighted several security failures, including the fact that user passwords were stored in the Learning Lodge database as easily-crackable MD5 hashes. Furthermore, the exposed data can be used to link parent profiles to children profiles, which poses a serious privacy risk.

In its first statement on the breach, published on Friday, VTech said it had implemented a series of measures to prevent further attacks. However, Hunt identified several security issues on the company’s websites, including the lack of SSL-protected communications, lack of encryption for sensitive data, extensive use of Adobe Flash, which is currently one of the most vulnerable pieces of software, and SQL injection vulnerabilities.

Advertisement. Scroll to continue reading.

In fact, the hackers told Motherboard that they exploited a SQL injection flaw to gain access to the data. The attackers said they don’t intend to make the leaked data public.

After Hunt published a blog post detailing VTech’s security failures, the company released an updated statement informing customers that Learning Lodge and several other websites have been suspended for a “thorough security assessment and fortification.”

“What really disappoints me is the total lack of care shown by VTech in securing this data,” Hunt said. “It’s taken me not much more than a cursory review of publicly observable behaviours to identify serious shortcomings that not only appear as though they could be easily exploited, evidently have been. Despite the frequency of these incidents, companies are just not getting the message; taking security seriously is something you need to do before a data breach, not something you say afterwards to placate people.”

Users can check the HIBP service to determine if they are affected by the VTech breach. The incident is ranked fourth in HIBP based on the number of impacted accounts, after the data breaches affecting Adobe, Ashley Madison, and 000webhost.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.