5M affected in VTech breach; security concerns raised with popular holiday items

A breach at Hong Kong-based toymaker VTech has affected nearly five million and prompted some to rank it the fourth biggest breach to date.
A breach at Hong Kong-based toymaker VTech has affected nearly five million and prompted some to rank it the fourth biggest breach to date.

A cybercriminal stole a database on Nov. 14 from the Hong Kong-based toymaker VTech that contained the information of nearly five million people including more than 200,000 children even as security issues with other popular holiday items have raised concerns.

The VTech database contained names, email addresses, passwords and home addresses, secret question and answer for password retrieval, IP address, mailing address and download history, according to a Nov. 27  release.

The attacker responsible contacted Vice's Motherboard and provided sensitive materials obtained from the breach before it was announced. The hacker claimed to have stolen the information using SQL injection to gain “root access” to VTech's web and database servers.

“It was pretty easy to dump, so someone with darker motives could easily get it,” the hacker was quoted as saying while claiming to have no malicious intentions of using the data.

When reached by the publication for confirmation, a VTech spokesperson said “we were not aware of this unauthorized access until you alerted us.”

The company then said the subsequent release that the incident is still under investigation.

“It is important to note that our customer database does not contain any credit card information and VTech does not process nor store any customer credit card data on the Learning Lodge website,” the company said.

John Gunn, vice president of communications at VASCO Data Security International, Inc., said in a statement emailed to SCMagazine.com that “the hackers will not benefit immediately from the stolen data, but they will use it for other attacks - they collected millions of username and password combinations and more than half of online users use the same password for all of their accounts, including their banking account.”

The website Have I Been Pwned is ranking the incident as the fourth largest consumer data breach to date.

Separately, Italian authorities are planning to invest in technology that will allow them to monitor the Sony PlayStation network in light of the Paris Attacks. Belgium officials noted in November that it is difficult to decrypt communication that is done on the PlayStation 4 after it was learned that the perpetrators of the attacks may have used the network to send messages.

The nation's justice minister Andrea Orlando told Italian newspaper Il Messaggero that the government will be investing 150 million Euro to improve the nation's security forces that will include funds to allow law enforcement to monitor communication platforms including the popular gaming network, according to a Security Affairs blog penned by Pierluigi Paganini.

Other toys are feeling the harsh glare of the spotlight this season as well. Researchers identified security concerns in Mattel's Hello Barbie that could allow an attacker to extract, internal Mac addresses, Wi-Fi network names, account IDs, and MP3 files from the popular doll. The interactive doll “listens” to conversations when a button is pressed to record audio, which is then encrypted before being sent over the internet.

“You can take that information and find someone's house or business, security researcher Matt Jakubowski told NBC.

NBC reported that ToyTalk, the company that operates the doll's speech services, admitted the doll can be hacked but added the company told them “in this case the information that was discovered does not identify a child, nor does it compromise any audio of a child speaking.”

Kymberlee Price, senior director of researcher operations at Bugcrowd said in a statement emailed to SCMagazine.com "VTech and Mattel are not the only two manufacturers that have IoT toys lining the shelves, and parents have no way of knowing if the toy they are purchasing was securely designed and developed, or is a threat to their children's privacy and the security of their home network." 

She went on to say that any company developing an Internet-enabled device is creating a specialized computer, and should follow industry standard secure development processes to protect their customers. 

UPDATE: Vice's Motherboard reported the VTech databases also exposed information including kids' photos and chat logs between children and parents. VTech encourages parents and their children to take pictures to use for their Kid Connect App. The hacker was reportedly able to download 190GB worth of photos though it is unclear how many people were impacted considering the possibility that some of the photos may have been of the same person.  The company announced it has suspended its Learning Lodge and other websites temporarily as a precaution while it investigates the breach in a Nov. 30 press release.

This story has also bee updated to include a statement from Bugcrowd's Kymberlee Price.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS