On Monday we reported that the toy company VTech had been hacked, and that user data for 200,000 kids had been stolen from the company’s servers.
VTech has commented on the incident, with the confirmation that the number of accounts affected is over 10 million, and that 6.3 million of those belong to kids.
The information stored on the servers consisted of usernames, passwords, emails, and location data, along with chat logs and photos sent between parents and kids using VTech’s tablets. The data was all from the Learning Lodge app store customer database, as well as Kid Connect.
Kid Connect is the service that lets parents and kids send messages to each other, from VTech tablets to the parents’ phones through a smartphone app.
No credit card or social security information was leaked.
The company apparently learned of the security breach after they were contacted by journalists. The hack was carried out on November 14, but the company says they didn’t know anything about it until November 24.
“In total 4,854,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected, which includes approximately 1.2 million Kid Connect parent accounts,” VTech confirmed.
They pointed out that the child profiles do not include personal information beyond name, gender, and birthdays.
However, it’s not impossible to link a child’s account to the parent account which contains more information on their identity. Security expert Troy Hunt painted a bleak picture when he analyzed the situation along with Motherboard’s Lorenzo Franceschi-Bicchierai.
“When it’s hundreds of thousands of children including their names, genders and birthdates, that’s off the charts. When it includes their parents as well–along with their home address–and you can link the two […],” Hunt said. “I start to run out of superlatives to even describe how bad that is.”
While passwords and audio logs were encrypted, the chat logs were not encrypted at all.
VTech writes, “regretfully our Learning Lodge, Kid Connect and PlanetVTech databases were not as secure as they should have been. Upon discovering the breach, we immediately conducted a comprehensive check of the affected site and have taken thorough actions against future attacks.”
If you want to check on the safety of your VTech account, you can use this website to find out if your data was leaked.
So far the hacker who initially breached the servers has told Motherboard that he has no plans to release the data that he discovered. Hopefully this will remain a cautionary tale for companies like VTech to enact greater security measures and ensure that nothing like this happens in the first place.
You can find VTech’s full FAQ on the data breach here.