Updated 12/1: Motherboard has revealed that VTech was also storing photos of both parents and children used in the Kid Connect service, along with chat logs and audio recordings. A hacker was easily able to get his hands on 190 gigabytes of images, including the images above (blacked out for privacy). For now, VTech has suspended its Kid Connect and Learning Lodge services until it fixes the security problems.
Original story: If you've purchased toys for your kids or grandkids in the last few years, you've probably run across toys from VTech; you might even have purchased some. VTech makes learning systems for all ages, including colorful tablet-like systems that can display eBooks and run game apps.
VTech toys are popular, but unfortunately it looks like VTech's security isn't on par with its toy-making skills. It just experienced a massive data breach, which is becoming depressingly common. What isn't common is that this one puts hundreds of thousands of children at risk.
With many VTech toys, parents can go online to the Learning Lodge to download new apps, eBooks and games. This requires setting up an account, which requires information like the parent's name, email address, physical address and so on.
Using a simple SQL injection attack, a single hacker was able to grab this information on 4,833,678 parents. That includes the account passwords and security questions.
According to the hacker and a security expert who reviewed the data, VTech took almost no steps to protect the information. It used an outdated hashing system for the password, and everything else was in plain text. That's bad, but it gets worse.
So far, this is a fairly standard data breach. No payment information was stolen, so the advice for the parents is to update the password and security question of your other online accounts. You should also be on the lookout for an increase in phishing email.
Where it gets bad is that for some of its toys, VTech also lets kids create accounts. VTech has about 200,000 kids' accounts that include first names, genders and birthdays. These are kept in a separate database, but the hacker easily got that as well.
Even worse, the hacker found it's possible to match up the databases, so they can see which kids belong to which parents. That means that the hacker can quickly see any child's physical address. Combine that with names, birthdays, parent email addresses, and there's endless ways a hacker or creep can attack a family.
The hacker who breached VTech told Motherboard they have no intention of doing anything with the data. In fact, they haven't even released it publicly. They claim they just took it to prove that it could be done and show VTech the extent of the problem.
However, the hacker, and other security experts, have also pointed out that stealing the data was so easy, it's possible other hackers have already done so. While VTech hasn't said anything about multiple breaches, it didn't even know this one had happened until Motherboard reached out.
While VTech might step up its security in the meantime, it's probably going to take a while. As it stands, it doesn't even use encryption for its password-protected areas. Find out why encryption is important.
If you are a parent or grandparent of a child with VTech toy that allows for creating accounts, log in now and change your password and security question right away. Then change any personal information to something that isn't real. Finally see if you can delete the account.
If you aren't sure if your data was part of the breach, the hacker has submitted the full list of stolen email addresses to the site Have I Been Pwned? You can check to see if your email address is one of them.