Children Toy Maker VTech Hacked, Data About Kids and Parents Stolen

[Exterminator]

Content source

http://news.softpedia.com/news/children-toy-maker-vtech-hacked-data-about-kids-and-parents-stolen-496834.shtml

4.8 million parent records exposed, 200,000 kid accounts
VTech, a Chinese company that builds and sells electronic learning toys, has been breached by a mysterious hacker that shared the data with Vice's Motherboard.

According to Vice reporter Lorenzo Franceschi-Bicchierai and Troy Hunt, owner of the Have I Been Pwned? service, the data they analyzed contained extremely personal details for over 4.8 million parents, and over 200,000 children.

The company acknowledged the incident and said that no credit card information as leaked in the incident. Unfortunately many more other details were.

These include:

● Parent names

● Parent emails

● Parent passwords

● Parent secret question and answers

● Parent password hints

● Parent login information

● Parent registration URL

● Parent IP information

● Parent addresses

● Parent VTech account details

● Child names

● Child avatar images

● Child gender

● Child passwords

● Child registration URL

● Child VTech account details

● Child-parent relations

The dumped data seems to contain information about VTech customers residing mainly in the UK, Spain, Germany, and France.

Following his analysis, Mr. Hunt says that the data seems to have come after a database dump, following an SQL injection attack, which the Vice reporter's sources confirmed.

Worrisome is the fact that the data revealed information about many sensitive details. This includes the (family) relation between parent and kid accounts, the registration URLs, and data that allows any investigator to identify kids based on the devices they used, and the website they frequented.

Outdated technology and a lack of security best practices made the incident possible
In his analysis, Mr. Hunt also discovered that VTech was using an extremely outdated platform, relying on ASP.NET 2.0, WCF, SOAP, and lots of Flash. SSL was nowhere to be found on any of VTech's sites, and at one instance, analyzing one of VTech's portals, Mr. Hunt also discovered SQL queries dumped with other debug data.

"Why they’re returning a SQL statement is absolutely beyond me," Mr. Hunt noted. "On seeing the haphazard way that internal database objects and queries are returned to the user, I’ve no doubt in my mind that SQL injection flaws would be rampant [in VTech's system]."

The VTech data was added to the Have I Been Pwned? service, where it ranks as the fourth biggest data breach in the site's history, right after Adobe (152 million accounts), Ashley Madison (30 million accounts), and 000webhost.com (13.5 million accounts).

What has the world come to

 

[frogboy]

Well that is just wrong on every level.

 

[LabZero]

I am speechless!

How is it possible? Probably were not applied the strictest safety rules where users are kids and must be protected absolutely.

 

[jamescv7]

No matter what, every system even that category can be mainly for children or parents should be undergone system analysis and design.

Cause hackers use those scenarios as their training to improve more on possible techniques.

 

[Exterminator]

Update:
As if this story couldn't get any worse it has

VTech hacker also obtained headshots and chat logs of children and parents

The story seems to have further developed, as it has now been revealed that the hacker that was responsible was also able to obtain headshots and chat logs of the users from compromised VTech products.

In an encrypted interview with Motherboard, the hacker, who was asked not to be named, shared that VTech left other sensitive data exposed on its servers, like photos of children as well as chat logs with their parents. The data was reportedly gathered from 'Kid Connect,' a service that allows parents to chat with their children using a VTech tablet. The service also encourages kids and their parents to take headshots of themselves to be used in apps.

The data accounted for a whopping 190 GB from 2.3 million registered users. At this time it is unclear exactly how many images the hacker was able to find, as some are duplicates, but it's being estimated in the tens of thousands. Aside from the pictures, chat logs and audio communications between child and parents were found on the server. Despite being able to obtain all of the personal data, the hacker told Motherboard that he has no plans in any way to sell or publish.

"Frankly, it makes me sick that I was able to get all this stuff, VTech should have the book thrown at them" - hacker

According to the hacker, most of the acquired data like pictures, chat logs, and audio recordings can easily be traced back to specific usernames - making it easy for the hacker to identify the people involved. As a measure to prevent any more attacks in the future, VTech said in a press release that for the moment, it has shut down its most vulnerable portals such as the 'Learning Lodge,' along with many other VTech websites.

Source and Image via Motherboard