by Bill Snyder

VTech hack exposes personal data of 4.8M customers — and their kids

Nov 30, 2015
Consumer ElectronicsSecurity

A popular toy manufacturer is the latest victim of a large-scale hack, and the breach opened the door for more damaging future attacks on the company's customers and their children.

VTech, a maker of electronic toys for children, was recently hit with a major hack that exposed account information on 4.8 million customers.

The information includes parent names, home addresses, email addresses and passwords. The theft also included 200,000 records related to the customers’ children, including their “first names, genders and birthdays,” according to Motherboard, the website that first reported the data breach.

Stolen info used to create profiles of victims

The stolen records did not include financial information, such as credit card numbers, according to a VTech press release addressing the breach. However, the data obtained by the hackers could potentially be combined with additional personal information on the victims and then used to create detailed profiles. Criminals could then use those to steal more valuable information, says Amit Ashbel, a “cyber security evangelist” with application security firm Checkmarx

“Hackers constantly collect as much data as they can,” he says. “This could be the first step in a series of attacks.”

Although the stolen passwords were encrypted, the technology used to protect them was rudimentary and could be easy to crack, he says. Many users tend to reuse passwords on multiple sites, so VTech customers would be wise to change their login credentials immediately. VTech customers should also keep an eye out for so-called phishing attacks, or email that appears to be from a trusted source and that asks for personal information or directs recipients to log into bogus sites.

The information stolen in the VTech hack, such as the names of children, could also be used to make phishing email more convincing, according to Ashbel.

Security lapse ‘unforgivable’

An SQL injection attack was apparently used in the VTech hack. Surrey University cybersecurity expert Professor Alan Woodward told the BBC, “If that is the case then it really is unforgivable — it is such an old attack that any standard security testing should look for it.”

VTech said it emailed every account holder to notify them of the breach. The company also “temporarily suspended” its Learning Lodge store, which offers apps, music, ebooks, and games for children. “Upon discovering the unauthorized access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks,” VTech said in a statement.