So far, this is a fairly standard data breach. No payment information was stolen, so the advice for the parents is to update the password and security question of your other online accounts. You should also be on the lookout for an increase in phishing email.
Where it gets bad is that for some of its toys, VTech also lets kids create accounts. VTech has about 200,000 kids' accounts that include first names, genders and birthdays. These are kept in a separate database, but the hacker easily got that as well.
Even worse, the hacker found it's possible to match up the databases, so they can see which kids belong to which parents. That means that the hacker can quickly see any child's physical address. Combine that with names, birthdays, parent email addresses, and there's endless ways a hacker or creep can attack a family.
The hacker who breached VTech told Motherboard they have no intention of doing anything with the data. In fact, they haven't even released it publicly. They claim they just took it to prove that it could be done and show VTech the extent of the problem.
However, the hacker, and other security experts, have also pointed out that stealing the data was so easy, it's possible other hackers have already done so. While VTech hasn't said anything about multiple breaches, it didn't even know this one had happened until Motherboard reached out.
While VTech might step up its security in the meantime, it's probably going to take a while. As it stands, it doesn't even use encryption for its password-protected areas. Find out why encryption is important.
If you are a parent or grandparent of a child with VTech toy that allows for creating accounts, log in now and change your password and security question right away. Then change any personal information to something that isn't real. Finally see if you can delete the account.
If you aren't sure if your data was part of the breach, the hacker has submitted the full list of stolen email addresses to the site Have I Been Pwned? You can check to see if your email address is one of them.