Hong Kong based toy-company, VTech, has admitted that the details of more than six million children and their parents were revealed in a recent hack of its Innotab child-friendly tablet. The hack revealed not only names and addresses, but often photos that the children had taken, as well as messages sent between users through the various applications on the device.
“Regretfully our database was not as secure as it should have been,” VTech's updated FAQ page reads. On the 14th November its “Learning Lodge,” App store was broken into it said, giving a hacker access to the customer database and Kid Connect servers. This led to other sites and services bring affected, including Lumibeauxreves.com, VSmilelink.com, Sleepybearlullabytime.com and many other international VTech owned entities.
It assured concerned parents that it had now taken appropriate steps to secure its databases and various services moving forward and that none of its other online systems have been affected by this breach. It also promised that no financial details were copied away, but suggested that updating user passwords on all services wouldn't be a bad idea.
Fortunately in this case, the hacker that exposed this vulnerability was not a nefarious one. In a chat with Motherboard they revealed that they were “sickened,” that it was so easy to access such sensitive details, especially the personal images of children. “VTech should have the book thrown at them,” they said.
Source: VTech
In total they were able to access more than 190GB of photos and audio logs. In many cases, those can then be traced back to usernames and account details, which makes the security breach even more worrisome for those affected or using child-friendly, heavily connected devices.
“I can get a random Kid Connect account, look through the dump, link them to their circle of friends, and the parent who registered at Learning Lodge,” the hacker said. “I have the personal information of the parent and the profile pictures, emails, passwords, nicknames…of everyone in their Kid Connect contacts list.”
That's the most egregious part of this whole thing. Not that VTech was hacked – because often times it can be a case that if someone wants to hack your service, they will find a way eventually – but that the data was stored in a manner where it could all be linked together. The lack of encryption and how easy it was to piece together details from different services to paint a pretty full picture of a family.
This hack occurred around the same time that security researchers warned of the dangers of high-tech toys, pointing the finger at Mattel and its Hello Barbie toy for not taking security more seriously.
Discuss on our Facebook page, HERE.
KitGuru Says: Companies really need to start hiring on security consultants. Encryption should be mandatory for this sort of stuff and cast iron protections in place. It shouldn't even be close this easy.
But David Cameron said encryption is a tool for terrorists! At his next speech he should applaud VTech for thinking of the children!
But David Cameron said encryption is a tool for terrorists! At his next speech he should applaud VTech for thinking of the children!