Security of VTech toys breached, 6 million affected
VTech, the giant of children's learning toys announced that its Kidizoom smartwatches and VTech InnoTab tablet had exposed the children to identity theft. VTech said the hackers had reached into its "Learning Lodge app store and its Kid Connect mobile app service that lets parents communicate with those tablets." The hack had affected as many as 6 million children as disclosed by VTech.
Panic struck Chinese company VTech, when it was revealed that a hack had exposed the personal information of almost 5 million parents and more than 200,000 kids. The hacker shared the data with company Motherboard (which then alerted VTech), even though it could have been sold online. The breach was especially worrying as it could give the kid's exact addresses and become a security-concern.
The major fault lay in VTech's handling of customer data using unencrypted and non-SSL delivery of communication. Login, passwords and addresses were all delivered over a standard HTTP protocol with no protection for users. The kids' passwords were saved in plaintext; adult passwords utilized weak encryption making them soft-targets. Moreover, in its public announcement VTech glossed over damages and did not share actual figures.
VTech suffered more backlash as the hacker exposed that VTech had left "thousands of pictures of parents and kids and a year's worth of chat logs stored online", making them easily accessible to hackers. This poses a threat to the 2.3 million users registered with Kid Connect service. The hacker yielded a batch of 3,832 image files with Motherboard for verification purposes.
VTech's stolen data included the name, gender and birth date of the children. It further gave access to data on their parents "included name, mailing address, email address, secret question and answer for password retrieval, IP address, mailing address, download history and encrypted password." Security experts noted that the hacked data could be worth millions of dollars when sold to underground markets.
VTech shares have lapsed 2.73% since it first revealed the hack in November, while the Hang Seng index was down 0.38% for the same period.
The VTech data breach is now being rated as the fourth-largest consumer data breach to date and the biggest one that has targeted kid's information.
VTech Holdings Inc. solicited help from FireEye Inc. Mandiant Incident Response team, a cyber forensic team to strengthen its "security and investigate" the hacking attack. The response team is presently looking at how the VTech handles customer information and is looking for ways to increase security. VTech allegedly shut down access to its sites to minimize the damage caused by the hack.
