United Kingdom police reported they have arrested a 21-year-old male in connection to the November breach of child toymaker VTech, a critical breach that exposed the personal lives of nearly 12 million people, leaking gigabytes worth of personal photos, chatlogs and audio clips from millions of unsuspecting children and parents.
The unnamed 21-year-old was arrested in Bracknell, a town about 30 miles west of London. He was arrested on suspicion of two offenses under the Computer Misuse Act, the official charges relating to unauthorized access to a computer and causing a computer to enable unauthorized access to data. UK police said they seized all electronics during the individuals arrest, however no other information was released.
The massive VTech hack exposed the data for 11.6 million people, 6.4 million of whom were minors. Personal information stolen by the hacker included names, gender and birthdates, while parents information exposed email addresses, security questions and answers, IP addresses, password data, and download history. The gigabytes of stolen data also included a trove of personal headshots and logs of chats between parents and their kids. All of the information was found within VTech’s Learning Lodge app store, which was built and used by the toymaker.
News on the massive VTech hack was reported late November after Vice’s Motherboard was leaked gigabytes worth of data from an anonymous hacker. VTech, the hacked company, had no idea it had been breached til Vice Motherboard reached out for comment. However, throughout several articles the hacker explained that he had no intention of releasing the information or using it for any nefarious purposes, but was rather outraged at the company poor security measures.
The hacker, who wished to remain anonymous, said “two months ago” he had initially stumbled upon a thread within a forum of people talking about hacking into the Innotab, a VTech produced tablet for kids. He said that tons of people were able to hack the device, and even run really old versions of famous 1990s video game Doom on the tablet.
Throughout the thread, forum members discussed the webservice that VTech uses to manage all their products. After reading this he was intrigued and decided to browse around until he found one of VTech’s many websites, planetvtech.com. After scavenging through the site the hacker noticed the site was still using Flash, had a login form. He was quickly able to discover the page was vulnerable to an SQL injection.
After breaching into the servers he was quickly able to obtain a privileged account, root on the server. After poking around and pivoting through the servers he stumbled upon two databases full of personal information on parents and children.
The extremely critical breach has put a trove of children’s personal information at risk, and has US lawmakers pressuring VTech to explain their practices. The hacker may have stolen critical amounts of data, but a far bigger offense seems to be the way VTech carelessly handles millions of children’s private information.