Security Experts:

5 Million Parents, Kids Hit by VTech Data Breach

VTech hacked

Hackers managed to steal the personal details of nearly 5 million parents and more than 200,000 children from the systems of Chinese educational toy manufacturer VTech.

The breach occurred on November 14, but the company only learned of it on November 24 after being contacted by a Vice Motherboard reporter who obtained the stolen information from the hackers.

In a statement posted on its website over the weekend, VTech said the attackers gained access to Learning Lodge, a website where customers can download applications, e-books, learning games and other content for their VTech products. The company has admitted that the personal details of roughly 5 million customers have been compromised, including names, email addresses, mailing addresses, secret questions and answers, IP addresses, and download histories.

Worryingly, profiles created by parents for their kids, which include information such as name, gender and date of birth, have also been exposed.

The company has pointed out that it does not store credit and debit card information, social security numbers or driver’s license numbers. The incident affects people in many countries, including the United States, Canada, France, Germany, the Netherlands, Spain, the UK, Australia, and China.

The leaked data was also analyzed by Troy Hunt, an Australian security expert who maintains Have I Been Pwned (HIBP), a service that allows users to check if their details have been exposed in major data breaches. Hunt identified 4,833,678 unique accounts set up by parents, and 227,622 profiles created for kids.

The expert has highlighted several security failures, including the fact that user passwords were stored in the Learning Lodge database as easily-crackable MD5 hashes. Furthermore, the exposed data can be used to link parent profiles to children profiles, which poses a serious privacy risk.

In its first statement on the breach, published on Friday, VTech said it had implemented a series of measures to prevent further attacks. However, Hunt identified several security issues on the company’s websites, including the lack of SSL-protected communications, lack of encryption for sensitive data, extensive use of Adobe Flash, which is currently one of the most vulnerable pieces of software, and SQL injection vulnerabilities.

In fact, the hackers told Motherboard that they exploited a SQL injection flaw to gain access to the data. The attackers said they don’t intend to make the leaked data public.

After Hunt published a blog post detailing VTech’s security failures, the company released an updated statement informing customers that Learning Lodge and several other websites have been suspended for a “thorough security assessment and fortification.”

“What really disappoints me is the total lack of care shown by VTech in securing this data,” Hunt said. “It’s taken me not much more than a cursory review of publicly observable behaviours to identify serious shortcomings that not only appear as though they could be easily exploited, evidently have been. Despite the frequency of these incidents, companies are just not getting the message; taking security seriously is something you need to do before a data breach, not something you say afterwards to placate people.”

Users can check the HIBP service to determine if they are affected by the VTech breach. The incident is ranked fourth in HIBP based on the number of impacted accounts, after the data breaches affecting Adobe, Ashley Madison, and 000webhost.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.