Toymaker VTech Hacked: 200,000 Kids' Data Exposed5 Million Accounts, Plus Children's Photographs and Chat Sessions Compromised
The danger of insecure, Internet-connected toys - especially in the run up to Christmas - is again in the limelight after Hong Kong toymaker VTech acknowledged suffering a massive data breach that resulted in information on 5 million accounts being compromised, as well as one year's worth of chat logs and stored photographs of children who use its toys (see Who Hacked Barbie?).
See Also: 2016 State of Threat Intelligence Study
VTech was using relatively insecure approaches to secure the customer data, says Australian data security expert Troy Hunt, who warns that the leaked information includes home addresses for more than 200,000 children and their parents.
VTech makes digital-learning toys - including the Digigo tablet, Kidizoom digital camera and Smartwatch, Cora the Smart Cub and Codys First Tablet, among others - as well as cordless phones. The company first warned Nov. 27 that its Learning Lodge app store database had been compromised on Nov. 14. "Learning Lodge allows our customers to download apps, learning games, e-books and other educational content to their VTech products," the company says. The breach also affected VTech's Kid Connect service, which allows parents to communicate with their children online, and which was storing pictures of children and parents, as well as related chat logs.
"In total, about 5 million customer accounts and related kids profiles worldwide are affected," VTech says in its breach notification. "Our customer database contains user profile information including name, email address, password, secret question and answer for password retrieval, IP address, mailing address and download history," and also stores children's name, gender and birthdate.
In a Nov. 30 updated breach notification, VTech says its breach affects customers in about three dozen countries, including Australia, Belgium, Canada, China, Denmark, France, Germany, Hong Kong, Ireland, Luxembourg, New Zealand, Spain, the Netherlands, United Kingdom, and United States, as well as the Latin America region.
VTech says it first confirmed the breach Nov. 24, after receiving a related inquiry from Canadian Vice Media journalist Lorenzo Franceschi-Bicchierai, who says he was contacted by the alleged hacker. "After receiving [Franceschi-Bicchierai's] email, we carried out an internal investigation and detected some irregular activity on our Learning Lodge website," VTech says. "We immediately conducted a comprehensive check of the affected site and have taken thorough actions against future attacks."
The alleged hacker tells Franceschi-Bicchierai that they have no plans to do anything with the data, but warned that the information may have already been stolen by others, noting via encrypted chat that "it was pretty easy to dump, so someone with darker motives could easily get it." The hacker claimed to have breached VTech's site using a simple SQL injection attack, which is allegedly how U.K. telecom giant TalkTalk was also most recently hacked (see TalkTalk Lesson: Prepare for Breaches).
How Learning Lodge Gathers Kid Data, Photos
In the wake of the breach, VTech says in its breach FAQ that it has "reached out to every account holder in the database, via email, to alert them of this data breach and the potential exposure of their account data." It's also taken the Learning Lodge site and other affected sites - including sleepybearlullabytime.com, www.planetvtech.com and vsmilelink.com - offline while it undertakes a "thorough security assessment and fortification."
It also notes that while purchases can be made via its website, those all occur via a third-party payment gateway. "Our customer database does not contain any credit card information and VTech does not process nor store any customer credit card data on the Learning Lodge website," it says.
Why This Breach is So Bad
In the wake of massive breaches such as the Ashley Madison data leak, too many people have become habituated to breaches involving their personal information, says Hunt, who runs "Have I Been Pwned?" - a free service that alerts people when their email addresses show up in public data dumps - in a blog post (see We're So Stupid About Passwords: Ashley Madison Edition).
But he describes the VTech breach as being orders of magnitude worse. "When it's hundreds of thousands of children including their names, genders and birthdates, that's off the charts. When it includes their parents as well - along with their home address - and you can link the two and emphatically say, 'Here is 9-year-old Mary, I know where she lives and I have other personally identifiable information about her parents - including their password and security question,' I start to run out of superlatives to even describe how bad that is."
Hunt says he was contacted by Franceschi-Bicchierai last week to try and verify whether the apparent breach of 4.8 million credentials - contained across six comma-separated values files and 10 SQL files - was legitimate. After polling a small sample of "Have I Been Pwned?" subscribers whose registered email addresses he found in the VTech dump, Hunt says he found that the information appeared to be legitimate, with one subscriber telling Hunt: "Yes I did access the VTech Learning Lodge in 2014 after purchasing a 'Cora Cub' for my child. In order to personalize [its] voice activated feature, you had to join the Learning Lodge."
Attorneys general in the U.S. states of Connecticut and Illinois say they plan to probe the breach, reports Reuters. Meanwhile, the Hong Kong Privacy Commissioner for Personal Data, Stephen Wong, says his office has launched a "compliance check" on VTech "with an aim of finding out whether VTech had taken appropriate steps to safeguard personal data before the leakage," as well as to ensure the organization takes whatever measures are necessary to prevent a recurrence.
Hong Kong has relatively stringent data privacy requirements, according to law firm Hogan Lovells, which said that a series of high-profile incidents culminated in 2014 guidance that has resulted in "increased fines, an activist regulator, a policy of 'naming and shaming' those who fail to comply and a growing public interest in data privacy issues." In this case, the regulator says that its investigation may result in its delivering an "enforcement notice" that demands specific changes. Any organization that fails to comply with such a notice faces a relatively meager fine - only up to HK$50,000 ($6,400) - but more importantly, its executives could be imprisoned for up to two years.
"Major Security Failings" by VTech
Hunt says his analysis of the leaked data shows that VTech had some "major security failings," including not using SSL for any of its sites - thus leaving all communications unencrypted. He also criticized the company's extensive use of Flash, the fact that its site was returning SQL statements to users, as well as its overall "lack of cryptographic protection for sensitive data," including poor password security practices, including a weak use of the MD5 cryptographic hash function.
"It's just a straight MD5 hash, not even an attempt at salting or using a decent hashing algorithm. The vast majority of these passwords would be cracked in next to no time; it's about the next worst thing you do next to no cryptographic protection at all," Hunt says. "Speaking of which ... all secret questions and answers are in plaintext. The questions are typical - albeit poor - examples such as your favorite color, where you were born and your first school."
Unfortunately, all of that data - as well as related photographs and many chat sessions relating to the people that data describes - has now been leaked, and may thus be impossible to ever expunge from the Internet.