Rik Ferguson, Vice President Security Research with Trend Micro, told the BBC that VTech didn't properly scramble customer passwords in its database and also stored customers' security questions and answers in plain text. The toy company also used a vulnerable algorithm to “hash” its customers' passwords, the researcher said.
"They made a poor choice. The MD5 algorithm has been known to be flawed for a decade," the BBC quoted Ferguson as saying.
As a result a hacker was able to access the names, email addresses, passwords and home addresses, secret question and answer for password retrieval, IP address, mailing address, download history and 190GB worth of photos from the company's website. The hacker told Vice's Motherboard the purpose of the attack was to expose the security flaws and ensure they were patched.