On Friday, children’s electronic toy manufacturer VTech announced in a press release that their servers had been penetrated in an SQL injection attack on their Learning Lodge app store database.
The information includes the names, e-mails, and even home addresses for its 4.8 million customers. Encrypted passwords were also obtained but could take days to decipher. Needless to say, all relevant security information should be changed as soon as possible.
Over 200,000 children have also been affected, with name, gender, age, and material that could directly link them with their parents’ aforementioned info compromised. The 2 billion dollar Chinese company claims that no credit cards were compromised because of their reliance on a third-party site for payment processing. But security questions and answers, as well as IP addresses, were obtained.
This is the fourth largest consumer data breach to date, but VTech wasn’t even aware of the breach until the hacker reported his own work to Motherboard. What’s more, VTech let several days pass before confirming the breach by e-mail, and even longer to release a statement to affected consumers.
The hacker in question claims not to have sold the stolen information, but the truth of that claim remains to be seen. Either way, it’s cold comfort for the millions of parents that have trusted VTech with the personal information of themselves and their children.
It gets worse. The hacker — via an encrypted chat with a Motherboard reporter — claims that he was able to get root access to both the VTech web and database servers. He says that it was “pretty easy to dump” and that “someone with darker motives could easily get it.”
Even the passwords were only secured with an MD5 hash; a layer of security that no longer causes so much as a flinch from someone in the business of data theft. And those security questions and answers so commonly used as a safeguard can be very easily used to retrieve information from myriad other online accounts.
Troy Hunt, a security expert brought in by Motherboard to explore the details of the breach, says that the problems with VTech aren’t even close to being resolved, despite claims by the company that they’ve already sewn up the link. The site doesn’t even use basic SSL encryption anywhere on their site, transmitting user data — including passwords — completely unprotected.
In fact, VTech leaks so much sensitive data from their unsecured databases and APIs, that according to Hunt you “don’t even need a data breach” to cause major problems for trusting customers.
Even though there is no indication that the hacker has done anything with the acquired information thus far, it’s time to take a hard look at the companies in which we place our trust — and the safety of our children.
Nate Church is @Get2Church on Twitter, and he can’t become a wildly overhyped internet celebrity without your help. Follow, retweet, and favorite everything he says. It’s the Right Thing To Do™!