Children’s toy maker VTech Holdings Ltd. has been hacked and the personal information of some 5 million parent’s and children has been stolen.
You may not have never heard of VTech, but they are a massive children’s company who sells a plethora of technology and educational gadgets, including tablets, phones, baby monitors among a barrage of other products.
The company announced that there had been “unauthorised access” to its network on November 14, according to a press release published by VTech on Friday.
The hacked data includes the names, email addresses, passwords, security questions and home addresses of 4,833,678 parents who bought products sold by VTech. The stolen data also includes extremely personal information including the first names, gender and birthdays of more than 200,000 kids.
Both children and parents can easily be linked to each other throughout the database, exposing even more information.
This if the fourth largest consumer data breach to date, according to Troy Hunt, a security researcher who runs Have I Been Pwned, a website that lets you check if your information was stolen in past or recent data breaches.
VTech said the company was not aware their networks had been hacked until Motherboard Vice reached out for comment following data leaked to them by the alleged VTech hacker.
“On November 14 [Hong Kong Time] an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database,” Grace Pang, a Vtech spokesperson told Motherboard Vice in an email. “We were not aware of this unauthorized access until you alerted us.”
According to VTech, no “personal identification data” or credit card information was stolen after they allegedly conducted a thorough investigation into what was stolen. However, it appears there investigation may have not been so thorough or lacking according to what the hacker has.
VTech did publicly announce the data breach on Friday. However the company did not disclose just how severe the breach was, nor the fact that the passwords were poorly encrypted, nor that security questions were stolen in plaintext or that the identities of hundreds of thousands of children have been exposed online.
While scouring through the company’s website, Hunt discovered that VTech makes zero use of SSL anywhere on their site or within their products. Hunt explained that VTech products transmit all data, including passwords, in plaintext over any network they are connected to. Alongside that, the company powers the site with outdated six-year-old technology.
VTech did not disclose any details on how the company was breached, however the hacker said he was able to gain access to the company’s database via an SQL injection. The ancient attack works by hackers inserting malicious commands into a website’s open forms, tricking them into spitting out personal information.
The anonymous hacker said once he was in VTech’s database he was able to gain “root access” on the servers, or in other words, full control.
Even though the hacker said he plans to do nothing with the information, other hackers could have followed, stealing the information from the website for more sinister purposes.
The latest VTech hack is coming in as the fourth largest consumer data breach of all time, coming in just after the severe Ashley Madison hack that exposed the company’s dirty secrets alongside 30 million men looking to have an affair, while little to no women ever visited the site since its launch in 2002.
Though the hacker has claimed they wish to do nothing with the personal trove of information stolen, we will see how the story unfolds or if other cybercriminals were able to get their hands on this data while it was left vulnerable.