Millions of families hit in toymaker VTech hack – including 200,000+ kids

Youngsters' personal info, parents' contact details leak from Chinese gizmo giant

VTech's idea of an awesome, totally not awkwardly Photoshopped family gathering ... Fun and games until they get hacked, of course

Names, home and email addresses, security questions and answers, and more information on millions of families worldwide have been swiped from a top toymaker's database.

And the birthdays, names, and genders of nearly a quarter of a million kiddies have been accessed, too.

Chinese electronics giant VTech today admitted its systems were compromised on November 14. Miscreants were able to extract customer records from its Learning Lodge app store, which provides downloads of games, books, music and other stuff for VTech toys. The Hong Kong-based biz specializes in making computer-like gizmos for preschool kids to play with, settling them in for a lifetime of fondleslab smearing and internet addiction.

Computer security bloke Troy Hunt says he has seen a copy of the swiped information, and reckons he found "4.8 million unique customer email addresses," suggesting that many accounts have been raided by hackers.

He also said people's account passwords were one-way encrypted using MD5, a particularly weak hashing algorithm, meaning simple passwords can be easily cracked and revealed. No salting was used, so off-the-shelf rainbow tables can be used to divulge rudimentary passwords like "children15" or "welcome81".

Hunt was passed the information by journalist Lorenzo Franceschi-Bicchierai, who says the copied data "also includes the first names, genders and birthdays of more than 200,000 kids." And by more than 200,000, it looks like 227,000.

The Vice journo earlier alerted the toy company to the database intrusion after he was contacted by hackers who claimed to have broken into the Chinese giant's systems.

VTech does indeed collect contact information from parents, and their tykes' names, genders, and dates of birth, when a family creates a Learning Lodge account.

In short, this security breach has revealed that sensitive and private information on nearly five million families was poorly protected from crooks and identity thieves – families in the US, Canada, United Kingdom, Republic of Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, Australia and New Zealand, we're told.

Youtube video of Learning Lodge

The toymaker said in a statement: "Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.

"It is important to note that our customer database does not contain any credit card information and VTech does not process nor store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway."

VTech added it is still investigating the infiltration, and has vowed to shore up its IT defenses. It has also emailed its Learning Lodge customers to warn them of the security breach – here's a copy sent to El Reg by reader Simon:

Dear Valued Customer,

On November 24 HKT we discovered that an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database on November 14 HKT. Our records show that you are a customer of the Learning Lodge.

Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.

It is important to note that our customer database does not contain any credit card or banking information. VTech does not process or store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.

In addition, our customer database does not contain any personal identification data (such as ID card numbers, Social Security numbers or driving license numbers).

Upon discovering the unauthorized access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks. Our investigation continues as we look at additional ways to strengthen our Learning Lodge database security.

Yours sincerely,

King F. Pang
Group President
VTech Holdings Limited

VTech was not available for immediate comment. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017