Toy merchant VTech is placing blame for its insecurity issues on its own users.


According to developer-blogger Troy Hunt, the company's terms and conditions were updated on 24 December after the breach that led to the leaking of its customers' personal information. It took over a month before anyone noticed the revision.


In his blog, Hunt specifically noted this statement from VTech's updated T&Cs: “You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties.”

VTech's sites had unsalted MD5 password hashes, no SSL encryption, SQL statements returned in API calls and extremely outdated web frameworks. Around five million accounts were exposed in the main breaches.


VTech has announced plans to acquire LeapFrog for $72 million (£50M) as both companies have made this deal expected to close next month.


Fortune says the move will mark an important merger in educational games and technology. With the buyout, VTech hopes to turn public focus away from its security issues and back on its products.