Updated 12/1: Motherboard has revealed that VTech was also storing photos of both parents and children used in the Kid Connect service, along with chat logs and audio recordings. A hacker was easily able to get his hands on 190 gigabytes of images, including the images above (blacked out for privacy). For now, VTech has suspended its Kid Connect and Learning Lodge services until it fixes the security problems.
Original story: If you've purchased toys for your kids or grandkids in the last few years, you've probably run across toys from VTech; you might even have purchased some. VTech makes learning systems for all ages, including colorful tablet-like systems that can display eBooks and run game apps.
VTech toys are popular, but unfortunately it looks like VTech's security isn't on par with its toy-making skills. It just experienced a massive data breach, which is becoming depressingly common. What isn't common is that this one puts hundreds of thousands of children at risk.
With many VTech toys, parents can go online to the Learning Lodge to download new apps, eBooks and games. This requires setting up an account, which requires information like the parent's name, email address, physical address and so on.
Using a simple SQL injection attack, a single hacker was able to grab this information on 4,833,678 parents. That includes the account passwords and security questions.
According to the hacker and a security expert who reviewed the data, VTech took almost no steps to protect the information. It used an outdated hashing system for the password, and everything else was in plain text. That's bad, but it gets worse.