This site may earn affiliate commissions from the links on this page. Terms of utilise.

vtech

Another 24-hour interval, another massive data breach involving the personal details of millions of unsuspecting people. It's a trivial different this time, though. Electronics and toy manufacturer VTech has shut down its family-oriented Learning Order app shop later on attackers managed to gain access to the business relationship data of nearly five million adults and kids who had signed up for the service.

Hong Kong-based VTech's kids toys include various toy versions of tablets, laptops, and even smartwatches. They're all positioned as educational toys and include integration with the VTech Learning Lodge app store for customization and new apps. In fact, to make just about whatsoever alter to the included software, parents have to sign up for a Learning Social club account, making a login for themselves and their offspring.

The information collected by VTech varies a bit depending on the site used to sign up (there are several different portals to creating a VTech account). Herein lies the problem. It turns out that VTech wasn't doing a very good job of keeping that business relationship information secure. According to the company, hackers managed to access names, email addresses, dwelling address, IP address, download history, and password recovery questions and answers. Afflicted are consumers in the US, UK, Canada, Germany, China, and a number of other regions.

VTech says it has contacted all the affected customers, simply it tin't do much other than shrug and offering an apology. At least VTech doesn't have payment details, considering otherwise those would probably have been leaked too. Although, maybe that's why VTech didn't take the security of its database seriously enough.

vtech hack

The breach happened on November 14th, and has been broken down in exhaustive detail by security researcher Troy Chase. The stolen data contains a regular CSV file with iv,862,625 rows (one for each user account) with column headings similar email, first_name, last_name, secret_question, secret_answer, and encrypted countersign. You may be thinking, "Oh, practiced… at least the passwords were encrypted." Unfortunately, it's just a directly MD5 hash that tin can be cracked in no fourth dimension. Everything else is in plain text, which is insane. Other CSVs contain data on the kids with IDs that connect them to the parent accounts, which accept additional information.

This is a significant blunder for VTech, and closing its app shop isn't going to undo the damage. It didn't take security seriously enough, presumably because it was "but" making kids' toys. They didn't even bother to use SSL. Still, personal information is however personal, and at present a lot more of it is floating around the Internet.