VTech reveals breadth and depth of data attack

Children's toy company VTech has released more information on its recent breach which left millions of adults and children's personal information in the hands of cyber-criminals.

VTech has elaborated on the details of its recent breach
VTech has elaborated on the details of its recent breach

Yet more has been revealed in the unfolding VTech scandal. The kid's e-toy company was breached on 14 November, resulting in the loss of what is now believed to be 6.4 million account details of both the parents who bought VTech toys and the children who play with them.

VTech released details of exactly how many accounts were breached, what countries they are from and how many children's accounts were hacked along with how many parents' accounts. Topping the list was the USA with 2,212,863 parent account details stolen together with three million children's profiles. France came a distant second with 868,650 parents' accounts breached and just over one million children's profiles. The UK came in at an even more distant third with 560,487 parent accounts and 727,155 child profiles.

In their most recent statement, VTech was keen to point out that children's accounts contained only the gender, birthday and name of the child. However, taken along with those details were 1.2 million Kid Connect parent accounts, an app which allows parents to communicate with their kids over VTech connected devices. These accounts contain profile pictures as well as certain chat logs, which are kept on VTech servers for 30 days. Whether pictures of children were taken as well as their parents' is yet to be seen as VTech's investigation is still ongoing.

Clearly, one of the more troubling aspects to this particular hack is the involvement of children. Idan Tendler, CEO of Fortscale and a former lead agent for the Israel Defense Forces signals intelligence unit, the 8200, spoke to SCMagazineUK.com on this particular fact: “While there really is no excuse for any company to suffer from a lack of security, those that cater especially to kids should employ every available safeguard to ensure that these children are safe. “

The investigation began after VTech was alerted by a journalist from Motherboard, a tech news publication, who had in turn been contacted by those who carried out the breach. This, to Tendler, only exacerbates the gravity of the situation: “The fact that VTech wasn't even aware of the attack until it was notified by the media suggests a massive failure on the company's part to properly monitor its network for intrusions.”

The hackers were able to smash through VTech's notably weak defences with apparent ease, getting their hands on account details as well as passwords, secret questions and answers. 

Troy Hunt, an Australian security researcher who got an early look at the data leaked in the breach, told SC this week that the systems he saw “were very old with most of the technology dating back half a decade or more. There wasn't the same level of awareness back then about the necessity to use strong password hashing and unfortunately they just didn't maintain the systems as technology evolved and new threats emerged.”