VTech, a maker of kids’ toys like the Kidizoom Smartwatch and InnoTab tablets, was hacked on November 14. It’s been revealed that the hacker was able to access chat logs and photos, which were stored online.
The information stolen includes IP addresses, names, birthdays, information on children’s genders, as well as mailing addresses, email addresses, and passwords. Basically, despite the fact that the hackers weren’t able to get any credit card information, it’s a parent’s worst nightmare.
VTech has almost 5 million customers, and Motherboard writes that over 200,000 children have had their personal information, as well as photos, exposed in the hack.
Much of the information leaked comes from Kid Connect, which is a service that lets parents and kids send text messages between smart phones and VTech tablets. Photos of parents and children, as well as messages, were being stored online. Motherboard’s Lorenzo Franceschi-Bicchierai spoke to the hacker responsible, who says he obtained over 190 GB of photos, which he doesn’t plan to sell or publish.
Franceschi-Bicchierai says that all the information (photos, messages, and even some audio recordings) is easily tied to usernames.
When asked why the company was storing this data on their servers, they had no reply. In a press release, VTech emphasized that no credit card information was stolen.
But for parents concerned about kids’ online safety, credit cards are a non-issue. The technique that the hacker used to get the data is one of the easiest ways to hack a database. Though he told Motherboard he doesn’t intend to do anything with the data, the implications are clear. If someone did have malicious intentions, it wouldn’t be hard for them to access a treasure trove of personal information on VTech’s customers.
It appears that VTech did hash the data, a technique that scrambles the information and makes it harder to process, but even hashing isn’t infallible. The real question is why these photos and chatlogs were being stored at all, when the company couldn’t promise to adequately protect it, or even provide a reason why they needed it in the first place.
Smart toys have been examined before for how they store and use kids’ data. In the case of a toy like Hello Barbie, audio recordings are being sent to parents, as well as used for research by the company. The VTech hack, along with other high profile hacks this year like the one on Ashley Madison, show that many companies do not know how to safely store information.
In cases like this, it’s not the customers’ fault that their information was leaked. It doesn’t come down to having a complex password, not when hackers could easily reset users’ passwords themselves. It is the responsibility of companies like VTech to be careful about how they store and use customer data, and in this case, customer trust has been betrayed.
You can read a review of the leak by security expert Troy Hunt here. Hunt helped Motherboard with their story on the incident.