3 min read

VTech toymaker hacked - millions of families have their personal info exposed

Graham CLULEY

November 30, 2015

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
VTech toymaker hacked - millions of families have their personal info exposed

VTech, a leading maker of electronic learning toys, has suffered a serious security breach, with hackers accessing a database containing information about customers and their children.

As a result, data including users’ email addresses, home addresses, security questions and answers, children’s names and dates of birth, and easily-reversible passwords have been accessed.

 

An article on Motherboard explains, the hacker initially contacted security reporter Lorenzo Franceschi-Bicchiera, saying that they had managed to access VTech’s database by using an SQL injection attack.

The hacker says that they have no plans to exploit the stolen data, or publish it publicly, but if is true that the data was accessible via a rudimentary SQL injection attack – there is no guarantee that other more maliciously-minded hackers might not have stolen the data beforehand.

Security researcher Troy Hunt, who assisted Motherboard with its investigation into the breach, examined the stolen data in great detail, and documented a number of security failings on VTech’s part.

Hunt discovered that there were over 4.8 million unique email addresses in the database, alongside passwords that were not stored in plaintext – but were still trivial to crack. Furthermore, Hunt discovered that users’ secret questions and answers were being held in plaintext.

An obvious concern is that not only might a malicious party be able to determine VTech customers’ passwords and attempt to use them to unlock other online accounts, but the “secret” answers might also help with the compromise of – for instance – webmail or banking accounts elsewhere too.

A further blow to VTech’s credibility when it comes to security is its failure to use SSL to encrypt information (such as passwords) when transmitted – opening opportunities for malicious hackers to steal data with ease.

But perhaps what is most disturbing is that the stolen data includes information about customers’ children.

As Hunt describes, parents who used VTech’s Learning Lodge app store to download apps, games and ebooks to their VTech products, were encouraged to create and links profiles for their children – including names, gender, and dates of birth. In all, there are over 227,000 children’s records in the hacked database.

VTech customers have been sent an email by the Hong Kong-based company, which informs them about the security breach but fails to mention that details of children were also at risk.

vtech-email

More up-to-date information, which acknowledges that children’s information has also been exposed, was posted today in a press release on VTech’s website.

At the time of writing, while it attempts to harden its security, VTech has suspended access to the Learning Lodge website:

vtech-suspended-site

Hopefully it’s obvious that if your’e using the same password on multiple sites that now is a great time to break out of that habit – and start using unique credentials for each online account you have. My advice is to use a password manager to remember complex, unique passwords on your behalf.

But another piece of advice may be to start thinking twice about whether you really *need* to give correct information for each service which asks for it. For instance, was it really necessary to tell VTech the real dates of birth for your children? Sometimes lying can be a more sensible course of action.

If there’s any luck in the world, the hacker will be true to their world and not publish any of the stolen data. With luck, no other hackers will have stumbled across the security weaknesses on VTech’s website, and won’t have made copies of the data, and won’t be attempting to find a way to criminally exploit them.

But it’s not good enough that we should have to cross our fingers and hope for good luck when it comes to trusting manufacturers that they are not being reckless with our family’s personal information.

Too many companies aren’t putting security and privacy at their core, and are unnecessarily putting many of us at risk.

tags


Author



Right now

Top posts

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read
What Is a VPN, How Does It Protect Me, and What Cool Perks Does it Offer?

What Is a VPN, How Does It Protect Me, and What Cool Perks Does it Offer?

September 23, 2021

2 min read
Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Tesla reverses "Full self-driving" beta update after sudden braking reports Tesla reverses "Full self-driving" beta update after sudden braking reports
Graham CLULEY

October 27, 2021

2 min read
Ukrainian Police Arrest Underground Darknet Group Laundering Cryptocurrency for Hackers Ukrainian Police Arrest Underground Darknet Group Laundering Cryptocurrency for Hackers
Silviu STAHIE

October 26, 2021

1 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords
Filip TRUȚĂ

October 26, 2021

3 min read