Major breach at VTech includes data on 200,000 children and nearly five million parents
Data stolen in a hack on toy maker VTech could be used to identify children, according to a security researcher.
The Hong Kong-based company, which makes children’s tablets, learning toys and baby monitors, confirmed its customer database was breached on November 14.
The data involved was collected via VTech’s Learning Lodge website, where parents must register in order to use many of VTech’s toys, the company said.
“Upon discovering the unauthorised access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks,” VTech said in a statement. “We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future.”
The breach affects customers in the US, Canada, United Kingdom, Republic of Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, Australia and New Zealand, the company confirmed.
While VTech’s website doesn’t handle payment data or personal information such as ID card numbers or social security numbers, the information stolen does include the names, email addresses, passwords and mailing addresses of 4.8 million parents and more than 200,000 children, according to Microsoft security researcher Troy Hunt, who helped to analyse data from the breach.
The information on children includes first names, genders and birthdays, and the child data can be easily linked to that of the parent, Hunt said in a blog post published over the weekend.
“It includes their parents as well – along with their home address – and you can link the two and emphatically say ‘Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question),’” he wrote. He added that the average age of the children involved was five years.
The incident is the fourth-largest consumer data breach to date, according to Hunt.
The incident was initially reported by online magazine Motherboard, after it was contacted by the unidentified hacker who carried out the attack. Motherboard notified VTech of the breach on 23 November and VTech, in turn, notified customers on Friday, 27 November.
The stolen data was poorly protected, Hunt said, with passwords being protected by MD5 hashes, which are considered straightforward to crack.
The users’ secret questions for password or account recovery were stored in plain text, meaning attackers could use this data to attack users’ accounts elsewhere, he said.
Hunt noted that VTech’s website doesn’t use encryption to protect communications, meaning an attacker could, for instance, intercept the transmission of password data.
The hacker involved planned to do “nothing” with the data, according to Motherboard, but said the information could easily have been stolen by others.
VTech did not respond to a request that it confirm the number of users involved and whether children were affected.
VTech said UK customers can contact it regarding the incident at firstname.lastname@example.org. Users can search Hunt’s website Have I Been Pwned to see whether their data was included in the breach.
Are you a security pro? Try our quiz!