VTech hack Exposed Children’s and Parents’ data

In a recent data breach on a kids toy-maker, VTech, 6.4 million children’s data including photos, first names, genders, birth dates and home addresses, as well as information of 5 million parents was exposed by a hacker. The hacker told Motherboard that they gained access to the company’s database using a technique known as SQL injection (SQLi).

Also known as SQLi, this is an ancient, yet extremely effective, method of attack, where hackers insert malicious commands into a website’s forms, tricking it into returning other confidential and private data.

What information was compromised?

6.4 million kids’ profiles were exposed including photos and addresses.

VTech announced in its press release that the customer data on their Learning Lodge app store contained user profile information of 5 million kids (customer accounts) including their names, birth dates, email addresses, passwords, secret questions and answers for password retrieval. It also contained information of IP addresses, mailing addresses, and download history. The only good news is that none of the credit card information was stolen. However, the data created by parents, while setting up account for their children, was exposed.

Countries Most Affected:

• USA: 2,894,091. (2 million children)
• France: 1,173,497
• UK: 727,155

Below are the headshots of kids and their parents. Some of the chat messages were also exposed. To get more information on this breach, you can contact Lorenzo, Staff Writer at Motherboard, where he writes about hacking and information security.

Hacker Obtained Children’s Headshots and Chat Logs From Toymaker VTech

(A sample of edited headshots of children and parents found on VTech servers)

Why would anyone hack Children’s Profiles?

Justin Harvey, Chief Security Officer with Fidelis Cybersecurity, said stolen records sell for $1 to $4 in underground markets. Security experts were skeptical, noting that the stolen data could be worth millions of dollars.

Will This Kind of breach Happen again?

Yes, in case of VTech, their database was vulnerable in the first place. In a post on his website, Troy Hunt, the security researcher who helped verify the VTech breach for Lorenzo, said that there was lack of failing on behalf of VTech. The flaw – there was no SSL anywhere. All communications were over unencrypted connections including when passwords, parent’s details and sensitive information about kids is transmitted. Lack of cryptographic protection for sensitive data is yet another example of where it has all gone wrong.

There’s also the growing trend with the Internet of Things (IoT), with more and more devices getting connected at home. There are lots of great companies out there making toys, home appliances and fitness products but that doesn’t mean that they are also good in maintaining and securing your personal data.

All 4.8 million parents are now searchable in HIBP. The children aren’t, but I suspect this will be the first of many times their data will be breached, dumped and traded online.

CONCLUSION:

Data breaches and cyber attacks now seem commonplace. Losing personal information is one thing, but having information on kids, their photos and where they live is scary. Organizations must get serious about the security of their customer data.

ExterNetworks is an end-to-end Managed Security Services provider that provides monitoring and management of security devices and systems. They use high-availability Security Operations Center that help you maintain an acceptable Security posture, reduce costs-to-hire and train personnel, while managing all the common services to improve your security.