VTech, the hacked toymaker/children’s company who leaked the personal information on some 4.8 million customers, including hundreds of thousands of innocent children’s information, has also leaked the personal photos, chatlogs and even audio recordings, according to a hacker who stole the information and shared it with Motherboard Vice who broke the story.
The anonymous hacker told reporters he was able to download nearly 200 gigabytes’ worth of photos, including both parents and children, from anyone who had registered an account on the site. The hacker was also able to obtain logs of chats conducting between parents and their children, and in some cases, even audio recordings of the conversations.
In hindsight, the hacker said he does not intend to publicly publish or sell any of the stolen data, but provided Vice with 3,832 disturbing images and at least one audio recording for verification purposes. VTech actively encourages parents to throw away their privacy and take headshots of their children and upload them on VTech products their kids use.
It’s not clear why VTech stored the photos, audio recordings and chatlogs between children and parents on their personal servers. The hacker said he stumped upon tens of thousands of personal pictures of parents with their kids. Some are blank or duplicate, so it’s hard to establish how many are legitimate photos. However, the hacker was able to download more than 190GB of photos, while stumbling upon the Kid Connect Service that has another 2.3 million registered users, presumably housing more headshots of parents and their kids, the hacker said.
The oldest recorded logs were dated as far back as the end of 2014, while the most recent logs were from November of this year, the month the attack unknowingly struck the company.
“Roses are red vilets [sic] are blue and I love you. Mommy and daddy,” read one of the messages, according to the hacker.
Within audio files kids voices can be heard alongside parents and background conversations, the hacker said, who shared one file with Vice.
“Frankly, it makes me sick that I was able to get all this stuff,” the hacker told Vice in an encrypted chat. “VTech should have the book thrown at them.”
A majority of the photos and chat logs can be linked backed to specific usernames, allowing anyone with the data to identify those chatting in the messages and link them together with pictures.
“I can get a random Kid Connect account, look through the dump, link them to their circle of friends, and the parent who registered at Learning Lodge [VTech’s app store],” the hacker explained. “I have the personal information of the parent and the profile pictures, emails, [Kid Connect] passwords, nicknames…of everyone in their Kid Connect contacts list.”
Just last Friday the massive toy company VTech admitted it was hacked, exposing the names, email addresses, passwords, security questions and home addresses of 4,833,678 parents who bought products sold by VTech.
VTech’s security was so poor the company was unaware its networks had been breached and that hundreds of gigabytes of personal data had been exfiltrated.
In the meantime, VTech, the security clueless company, has taken down some its vulnerable portals “as a precautionary measure,” including the Learning Lodge, as well as dozens of other VTech managed sites.
“That’s the responsible thing to do until they can fix them,” said Troy Hunt, a security researcher who analyzed the breached data, in a tweet Sunday.
While it’s a good start, it’s of little help to the millions of children and parents who have been affected in this horrific privacy blunder.
[Photo via Motherboard Vice]