Virtual Event Today: Cyber AI & Automation Summit - Register/Login Now
Connect with us

Hi, what are you looking for?


Incident Response

Over 6 Million Kids Profiles Accessed in VTech Hack

The data breach suffered by Chinese educational toymaker VTech is more serious than initially thought, as the company has confirmed that nearly 5 million customer accounts and more than 6 million kids profiles have been compromised.

The data breach suffered by Chinese educational toymaker VTech is more serious than initially thought, as the company has confirmed that nearly 5 million customer accounts and more than 6 million kids profiles have been compromised.

VTech reported over the weekend that a total of 4.8 million user accounts and 227,000 kids profiles had been affected. The company initially believed the attacker only gained unauthorized access to Learning Lodge, a VTech website that allows users to download apps, e-books, learning games and other content for VTech products.

However, as it turns out, the hacker also accessed servers used for Kid Connect, a service that allows parents to use their smartphone to chat with their kids on a VTech tablet. Kid Connect, Learning Lodge and several other websites have been suspended while the incident is being investigated.

VTech updated its data breach FAQ after Vice’s Motherboard, the website that first reported on the incident, learned from the hacker that photos of kids and parents, audio files, and chat logs have also been obtained.

The latest incident report from VTech shows that roughly 4.8 million parent accounts and 6.3 million kids profiles are affected, which includes 1.2 million parent accounts on Kid Connect. Approximately 235,000 parent and 227,000 kids accounts on PlanetVTech are also impacted.

Most of the affected individuals are from the United States (2.2 million parent and 2.9 million child profiles), followed by France (868,000 and 1.1 million accounts), the United Kingdom (560,000 and 727,000 accounts) and Germany (390,000 and 508,000 accounts). Users in Spain, Belgium, the Netherlands, Ireland, Denmark, Luxembourg, Latin America, Australia, New Zealand, and other countries are also impacted.

In the case of parent accounts, names, email addresses, mailing addresses, secret questions and answers, passwords, IP addresses, and download histories have been accessed. The passwords were hashed, but since the company used MD5 only very strong passwords are safe.

VTech has admitted that child names, genders and dates of birth have been stolen, but it cannot confirm that profile photos, chat logs and audio files have been compromised. According to the company, audio files and images are encrypted using AES-128. VTech says chat logs are not encrypted, but the toymaker claims it only stores undelivered messages for a period of 30 days.

Advertisement. Scroll to continue reading.

VTech noted that the breached database also holds sales report logs and logs that track kids’ progress in games. The firm says payment card information, social security numbers, and driver’s license numbers are not stored on its systems.

Despite claims that profile photos and audio files are encrypted, the hacker has provided Motherboard a sample of more than 3,800 images and several audio files. Most of the data can be linked to specific usernames, Motherboard reported. The attacker says he has no intention of making public or selling the data.

Australian security expert Troy Hunt, the first to analyze the stolen data, has added the compromised email addresses to the Have I Been Pwned service to allow users to check if they are affected.

“There are a couple of things surprising about [the VTech breach]. First of all, the fact that the attacker says he has no plans to exploit this data. This is the first such credential breach that comes to mind that was done basically as a demonstration,” Shuman Ghosemajumder, VP of Strategy at Shape Security, told SecurityWeek. “Secondly, the fact that VTech apparently had almost nothing in the way of security on their web application: no SSL/TLS encryption for communication to the server (allowing anyone on the same network to sniff credentials being entered), passwords stored as straight MD5 hashes with no salts, and even full SQL injection commands passed as arguments.”

“However, that’s just part of the story. It’s unusual that despite the credentials not having been leaked to any underground markets that we can see so far, trading of VTech’s shares were suspended. That implies that the loss of consumer confidence in their security alone is sufficient to cause catastrophic harm to the company’s stock price,” Ghosemajumder added.

[Update] On Thursday, VTech said that it has hired FireEye’s Mandiant incident response services to assist in the investigation and review how VTech handles customer information to find ways which the company can better protect its user data.

*Updated to include hiring of Mandiant

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Artificial Intelligence

Two new surveys stress the need for automation and AI – but one survey raises the additional specter of the growing use of bring...