The year 2015 is about to end and yet a data breach of VTech, the Hong Kong toy manufacturer, has resulted to what seems to be the biggest leak of the year.
VTech, creates cordless phones that are used for the most part as educational electronic devices for kids via a service called Learning Lodge.
Vice’s Motherboard tech news site, was the first to report on Monday, that the said service had been hacked, breaching thousands of photos of parents and kids, as well as chat logs between them.
According to VTech’s report, the incident took place on November 14, but the company did not confirm the attack before November 24. A day before that, on November 23, a Canadian journalist sent an email to the company, asking about the incident which triggered an internal investigation that detected some irregular activity on the Learning Lodge website.
The company reads in its official report where it publicly apologizes:
“We can confirm that on November 14 HKT an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database and Kid Connect servers. Learning Lodge allows our customers to download apps, learning games, e-books and other educational content to their VTech products. Kid Connect allows parents using a smartphone app to chat with their kids using a VTech tablet.”
The FAQ field continues to inform about the number of customers that were affected:
“In total 4,854,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected, which includes approximately 1.2 million Kid Connect parent accounts. In addition, there are 235,708 parent and 227,705 kids accounts in PlanetVTech. Kid profiles unlike account profiles only include name, gender and birthdate.”
Motherboard sent some of the data to an Australia-based security expert, Troy Hunt, verifying the leaked data by contacting some people who had registered for his service, which notifies people if their email addresses turns up in a new data breach.
Troy then posted an extended blog in which he made comments on VTech’s security measures.
“VTech’s account registration services do not use SSL/TLS (Secure Sockets Layer/Transport Layer Security), which encrypts data sent between a user’s computer and a service. The vast majority of these passwords would be cracked in next to no time. […] The flaws are fundamental, and the recommendation I’ve passed on is to take it offline ASAP until they can fix it properly. You just can’t take chances with other people’s data in this way, especially not when they’re kids,” he wrote.
Chris Eng, vice president of security research at Veracode, points out that there are many consumer technology companies, such as toy company VTech, that don’t put security as a top priority and they learn about its importance the hard way.
“Toy manufacturers don’t have the rigor around secure development that’s needed in today’s environment and are inevitably going to fall short on security,” he said.