Toymaker VTech hit by largest-ever hack targeting kids

2 Dec 2015 | Author: | No comments yet »

Hackers steal kids’ data from gadget maker VTech.

BOSTON/HONG KONG • Some state authorities in the US say they will investigate a massive breach at digital toymaker VTech Holdings, as security experts warn that hackers are likely to target similar companies that handle customer data.HONG KONG — VTech Holdings is working with regulators in Hong Kong after a hacking attack at the maker of electronic toys and computer tablets compromised the privacy of millions of children and parents.The personal information of about 5 million people – including the photos and profiles of more than 200,000 children – has been exposed following a hack of the electronic toy maker VTech. The Connecticut and Illinois attorneys-general on Monday said they would probe the breaches, though their representatives declined comment on the focus of their inquiries.

The Hong Kong-based firm initially disclosed the attack on Friday, and said hackers took data of nearly 5 million adults, but it did not disclose how many children’s profiles were accessed. The data breach affected the company’s app store, exposing the email addresses, names and passwords of adults, and the first names, birthdays and gender for kids.

The hackers also obtained children’s photos and chat records from VTech’s Kid Connect service, which allows adults to use their smartphones to chat with kids using VTech tablets, reported technology blog Motherboard. In a statement posted on its website on Tuesday, it disclosed that the number of children affected exceeded the number of adults, with data on some 6.4 million children accessed along with data on 4.9 million parents. “I’ve never seen a hack that affected children as much as this one,” said Chris Wysopal, co-founder of cyber security firm Veracode. “This is sort of the Ashley Madison for children. VTech runs an online store called the “Learning Lodge” that sells apps, e-books, and other content for its suite of educational tablets and devices. People unwittingly trusting their personal information in a company that wasn’t equipped to handle it.” The company’s statement said the children’s profiles included only name, gender and birth date. A hacker interviewed by Motherboard’s Lorenzo Franceschi-Bicchierai said that they used a “SQL injection” attack, a simple and extremely common hacking technique in which hackers enter commands into website forms in order to make websites serve desirable data.

Stolen data on their parents included name, mailing address, email address, secret question and answer for password retrieval, IP address, mailing address, download history and encrypted password. Such attacks are easy to defend against, but VTech did not have the proper protocols to do so. “It was pretty easy to dump, so someone with darker motives could easily get [the information from VTech],” the hacker told Motherboard in an encrypted chat. The largest number customers whose data was accessed were in the United States, followed by France, the United Kingdom, Germany, Canada, Spain, Belgium and the Netherlands. The perpetrators could use the information to access social media profiles or to target children online, said Mr Bryce Boland, Asia chief technology officer for FireEye. “It may be that this data theft is only the tip of the iceberg,” he said in an e-mail. “Until there is a thorough forensic investigation, they won’t know if they can still be sucker-punched in cyberspace. VTech has said that credit card information, Social Security numbers, and driver’s’ license numbers are not stored either in the Learning Lodge or in their customer database, and have not been affected by the breach.

Hong Kong Privacy Commissioner for Personal Data Stephen Wong said his office had initiated a “compliance check” to see if VTech had followed data privacy principles. The horse may have bolted, but that doesn’t mean the hacker didn’t move from the barn to the house.” Hackers accessed five million customer accounts through VTech’s Learning Lodge database, where users download applications, learning games and e-books.

The hacker, who asked to remain anonymous and has no plans to exploit the data, also told Motherboard that sensitive information, such as kids’ photos and chatlogs between parents and children, was left exposed on VTech servers. Some experts say they expect to see more breaches involving data collected through digital toys and other Web-connected devices, a category of products known as the Internet of Things. “You have all these devices and services that are connecting to the Internet by companies that don’t have the experience that older software companies do in securing their data,” said Ms Katie Moussouris, chief policy officer with HackerOne, which helps businesses find cyber bugs. Security expert Graham Cluley warns that the breach underlines the need for parents to think seriously about how their childrens’ data is shared. “Clearly manufacturers should be taking greater care over data security and privacy, but parents should also be more careful with their children’s personal information,” he explained in an email to “For instance, does an early learning device really need to be told your child’s real date of birth? Activist group Campaign for a Commercial-Free Childhood has raised the privacy risks of the high- tech “Hello Barbie” doll unveiled earlier this year by toy giant Mattel. Always think carefully about the information you share.” VTech has reached out to every account holder in the database, via email, to alert them of the breach and the potential exposure of their account data.

But ToyTalk, Mattel’s technology partner, in a blog post last week pointed to the “many safety features that have been integrated” into the design of Hello Barbie. Mr Larry Salibra, chief executive of bug-testing platform provider Pay4Bugs, said that it looks like VTech failed to properly secure sensitive data by encrypting it to be difficult to unscramble and useless if stolen.

Here you can write a commentary on the recording "Toymaker VTech hit by largest-ever hack targeting kids".

* Required fields
All the reviews are moderated.
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site