Adults are usually worried about letting their children use any personal data online, but it the kids should be just as worried about trusting parents with their information; a breach at toymaker VTech has compromised the data of over 5 million people.
On Monday, VTech confirmed a suspected hack took place on November 14, 2015 when an unauthorized party accessed Learning Lodge, the company’s app store database. Names, email addresses, download history, passwords, security questions and answers for password retrieval, IP addresses, and mailing addresses are among the compromised information.
Accounts also contained information about children, including names, genders, and birthdates. Motherboard has reported that the hacker also was able to obtain photos and audio chatlogs—in many cases, messages exchanged between parents and children—from the server. These logs can be traced back to specific usernames and can be paired with other information from the hacked database.
“I have the personal information of the parent and the profile pictures, emails, [Kid Connect] passwords, nicknames…of everyone in their Kid Connect contacts list,” the hacker told Motherboard.
VTech emphasized in its statement that no credit card information or personal identification data like Social Security numbers or driving licenses were stored in the database or accessed in the hack; all payments made on the VTech app store took place through a secure, third-party payment system.
It took 10 days for VTech to discover the breach had occurred. The maker of connected devices for kids has alerted affected customers via email. While the company insisted in its statement that it is “committed to protecting our customer information and their privacy,” VTech didn’t confirm to the public that the hack had taken place for another six days after its discovery.
Troy Hunt, creator of Have I Been Pwned? and Microsoft MVP for Developer Security, independently confirmed the hack on Saturday. In his examination of the breach, Hunt found that the passwords stored on the database were not encrypted and could easily be cracked. Additionally, all secret questions and answers were stored in plain text.
“Their acknowledgement grossly underplays the significance of the event,” Hunt told the Daily Dot. “Both their first public statement and the subsequent one today focus on replaceable information like credit cards and entire neglect the fact that people’s kids are now exposed online. The follow-up piece on Motherboard today also shows how private messages and photos were obtained too—that’s what’s important to people, not a credit card they can have cancelled.”
The data of children and their parents are linked directly within the database, giving access to personal information to both generations of users. Hunt found the average age of the child in the database to be five years old; about 200,000 children accounts were compromised.
VTech has taken down some of the vulnerable portals including Learning Lounge and 13 related sites. Hunt wrote that he has passed on suggestions to VTech on how to secure their system but said, “there’s no simple fix” and that the “flaws are fundamental.”
VTech did not respond to request for comment.
Photo via Jeff Geerling/Flickr (CC BY 2.0) | Remix by Max Fleishman