Security Experts:

Over 6 Million Kids Profiles Accessed in VTech Hack

The data breach suffered by Chinese educational toymaker VTech is more serious than initially thought, as the company has confirmed that nearly 5 million customer accounts and more than 6 million kids profiles have been compromised.

VTech reported over the weekend that a total of 4.8 million user accounts and 227,000 kids profiles had been affected. The company initially believed the attacker only gained unauthorized access to Learning Lodge, a VTech website that allows users to download apps, e-books, learning games and other content for VTech products.

However, as it turns out, the hacker also accessed servers used for Kid Connect, a service that allows parents to use their smartphone to chat with their kids on a VTech tablet. Kid Connect, Learning Lodge and several other websites have been suspended while the incident is being investigated.

VTech updated its data breach FAQ after Vice’s Motherboard, the website that first reported on the incident, learned from the hacker that photos of kids and parents, audio files, and chat logs have also been obtained.

The latest incident report from VTech shows that roughly 4.8 million parent accounts and 6.3 million kids profiles are affected, which includes 1.2 million parent accounts on Kid Connect. Approximately 235,000 parent and 227,000 kids accounts on PlanetVTech are also impacted.

Most of the affected individuals are from the United States (2.2 million parent and 2.9 million child profiles), followed by France (868,000 and 1.1 million accounts), the United Kingdom (560,000 and 727,000 accounts) and Germany (390,000 and 508,000 accounts). Users in Spain, Belgium, the Netherlands, Ireland, Denmark, Luxembourg, Latin America, Australia, New Zealand, and other countries are also impacted.

In the case of parent accounts, names, email addresses, mailing addresses, secret questions and answers, passwords, IP addresses, and download histories have been accessed. The passwords were hashed, but since the company used MD5 only very strong passwords are safe.

VTech has admitted that child names, genders and dates of birth have been stolen, but it cannot confirm that profile photos, chat logs and audio files have been compromised. According to the company, audio files and images are encrypted using AES-128. VTech says chat logs are not encrypted, but the toymaker claims it only stores undelivered messages for a period of 30 days.

VTech noted that the breached database also holds sales report logs and logs that track kids’ progress in games. The firm says payment card information, social security numbers, and driver’s license numbers are not stored on its systems.

Despite claims that profile photos and audio files are encrypted, the hacker has provided Motherboard a sample of more than 3,800 images and several audio files. Most of the data can be linked to specific usernames, Motherboard reported. The attacker says he has no intention of making public or selling the data.

Australian security expert Troy Hunt, the first to analyze the stolen data, has added the compromised email addresses to the Have I Been Pwned service to allow users to check if they are affected.

“There are a couple of things surprising about [the VTech breach]. First of all, the fact that the attacker says he has no plans to exploit this data. This is the first such credential breach that comes to mind that was done basically as a demonstration,” Shuman Ghosemajumder, VP of Strategy at Shape Security, told SecurityWeek. “Secondly, the fact that VTech apparently had almost nothing in the way of security on their web application: no SSL/TLS encryption for communication to the server (allowing anyone on the same network to sniff credentials being entered), passwords stored as straight MD5 hashes with no salts, and even full SQL injection commands passed as arguments.”

“However, that's just part of the story. It's unusual that despite the credentials not having been leaked to any underground markets that we can see so far, trading of VTech's shares were suspended. That implies that the loss of consumer confidence in their security alone is sufficient to cause catastrophic harm to the company's stock price,” Ghosemajumder added.

[Update] On Thursday, VTech said that it has hired FireEye's Mandiant incident response services to assist in the investigation and review how VTech handles customer information to find ways which the company can better protect its user data.

*Updated to include hiring of Mandiant

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.