Kids play as toy maker Vtech gets hacked

Just a few short weeks after mere children hacked TalkTalk – allegedly – and its the kids turn to be hacked.

Or a firm that caters to youngsters at any rate.

In a statement released late yesterday, Chinese toy and gadget company Vtech revealed how an unauthorised visitor accessed data stored in its Learning Lodge app store database on 14 November.

The Learning Lodge is a resource centre from which customers can download apps, ebooks, learning games and other educational content to be used with their Vtech products.

Oh, and it also stores names, physical addresses, email addresses, encrypted (no mention of whether that means hashed and salted) passwords, secret questions and answers (guess the previous observation is moot then) used to reset forgotten passwords, IP addresses and download histories.

Nice segregation of data there, eh?

There’s no word on how many customers have been affected but Motherboard suggests it could be north of 5 million parents and 200,000 children.


The only silver lining I can see right now is the fact that, according to Vtech, no credit card data has been compromised.


Motherboard says exposed child data is not that extensive – first name, gender and birthdays only – but by combining the parental data, it was quite possible to match each up with their parents, thus allowing full identification.

Even though the breach took place almost 2 weeks ago, the company was not aware of it until Motherboard approached it for comment, saying:

On November 14 [Hong Kong Time] an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database. We were not aware of this unauthorized access until you alerted us.

And that, in my opinion, is pretty damning, given the fact that Troy Hunt’s HaveIBeenPwned lists this breach as the 4th largest ever consumer data breach.

Vtech, which strangely says it is “committed to protecting our customer information and their privacy” had this to say about the attack:

Upon discovering the unauthorized access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks.

Meanwhile, the alleged attacker behind the breach told Motherboard that he had no plans to release the data which he says was acquired through… SQL injection.

One of those two statements is shocking – I’ll let you decide which one is the bigger surprise!

Hopefully, the fact that two major firms have apparently been breached via an ancient attack vector will be a wake-up call to, well, everyone else – if someone can gain access to your customers’ personal information via SQL injection, something is very, very wrong with your security setup!

Leave a Reply