Millions of details stolen in toy company breach.

A massive breach has hit kid's toy company, Vtech, and the details of millions of parents, and children, have been stolen.

VTech makes computerised toys for children, on to which new games or learning modules can be downloaded.
VTech makes computerised toys for children, on to which new games or learning modules can be downloaded.

A titanic breach has hit kid's toy company VTech, leaking millions of customer details from the company's central database. Up to 4.8 million unique customer email addresses were believed stolen as well as hundreds of thousands of other details including names, genders, encrypted passwords, birthdays, secret questions and the corresponding secret answers.

VTech makes ‘computers for kids', electronic platforms on which the little ones can play learning games and things of that nature. The rascal hackers were able to get in through VTech's ‘learning lodge' app store, from which customers can download games for VTech toys.

The company admitted as much just last week, saying that it had been breached on the 14th of November and that an investigation was underway. A letter was sent to customers by King F Pang, group president of VTech Holdings, one of whom sent it to Tech news site, The Register. Pang reassured customers that, “our customer database does not contain any credit card or banking information. VTech does not process or store any customer credit card data on the learning lodge website.”

But the fact that no credit card details were stolen is almost beyond the point. The data that was stolen still allowed theft, according to security researcher Troy Hunt, who got a close look at the data, which, “we typically see being used in identify theft attacks: name, address, email plus the secret questions and answers will often provide the info an attacker would need to verify identity on other services.”

One of the key weaknesses that allowed a breach of this magnitude to happen was the antiquated method of storing data that the Hong Kong-based toy company kept in use, long after it became dangerous to do so: Hunt told SC that, “The VTech systems I saw were very old with most of the technology dating back half a decade or more.” Back then, cyber-security awareness was predictably lower. Unfortunately VTech, “just didn't maintain the systems as technology evolved and new threats emerged.”

When Hunt began to check out the data that was sent to him, he found that the passwords stolen were stored using a simple MD5 hash and without salting. He noted in a post about, “the vast majority of these passwords would be cracked in next to no time.” Not only were the passwords left in a vulnerable format, but other credentials were left in plain text including the secret questions and their unlocking answers.

Louise Bulman, VP EMEA region at Vormetric, an encryption and data security company, spoke to SC saying:  “The VTech breach highlights yet again that organisations should be focusing on making sure sensitive data remains protected when (not if) it falls into the wrong hands – and encryption is critical to achieving this.”

While in the past, “encryption was deployed to protect only what businesses were forced to protect by compliance requirements. Now, adopting a default strategy of ‘encrypt everything' is quickly becoming the only reasonable way to retain the upper-hand in the fight against cyber-crime for companies serious about safeguarding customer data."

Bulman added that, “These days, failing to encrypt data is akin to locking the front door of your home in order to feel secure, but leaving the back door wide open.”

Javvad Malik, a security advocate at security company AlienVault  told SC that the fact that this breach involved children adds a troubling new dimension, unseen in cases like TalkTalk or even Ashley Madison:  “Compared to adult identity theft, the danger with a child's identity being stolen is that they may not be aware of it until they are old enough to apply for a bank account, credit card, driving licence, mortgage or job. So technically, someone could steal a child's identity and use that information until the child is 18 years old - by which time their credit rating or other personal records may be damaged beyond repair.” 

Malik added that, “companies need to stop and evaluate what data they are capturing and for what purposes. Is it really necessarily to hold names of children, birthdates addresses etc? The leak of these details can potentially impact individuals long after the company may even exist." 

VTech did not respond for comment.