IoT / Toy company hack exposes children’s information plus 4.8 million records
Toy company hack exposes children’s information plus 4.8 million records
30 November 2015
A hack on Hong Kong toy company VTech last week exposed 4.8 million customer records, as well as data belonging to more than 200,000 children.
Names, email addresses, passwords and home addresses of the 4.8 million parents across the world who have bought products from Chinese toy manufacturer VTech were exposed by a hacker last week.
The toy company disclosed the breach on Friday last week, but failed to mention the number of records lost, the poor encryption practices for passwords and that the breach exposed children’s identities.
227,000 children’s records were also accessed in addition to the 4.8 million parents’ records and researcher Troy Hunt found that it was easy to link child and parent records, exposing the children’s names and where they live.
According to Have I Been Pwned, a website which allows consumers to check if their emails and passwords have been compromised in any publicly known hack, the VTech breach is the fourth largest consumer data breach to date.
Have I Been Pwned found that nearly five million unique email addresses could be accessed because of the VTech breach, along with their corresponding passwords, which VTech had used the MD5 algortihm – notable for how easily it can be broken – to protect.
VTech was “not aware of this unauthorised access” until contacted by Motherboard during the course of its investigation, which began when the anonymous hacker in question told the magazine about the vulnerabilities they had discovered in VTech’s servers.
The hacker told Motherboard that they do not intend to publish the data, but the ease with which they obtained the data using an SQL injection meant that “someone with darker motives could easily get it”.
Hunt’s investigation into the breach also discovered that the secret questions employed by the firm for password and account recovery were stored in plain text, providing an opportunity for hackers to use the information to reset passwords on other accounts belonging to the same user, such as their Gmail or online banking accounts.
Hunt said that further examinations demonstrated that VTech doesn’t use SSL web encryption anywhere and transmits sensitive information unprotected, including passwords.
The company’s websites also “leak extensive data” from their databases and APIs, which could mean attackers could obtain a lot of information about parents and children.
Hunt said the incident should stand as a warning for companies about protecting data prior to breaches.
“The bottom line is that you don’t even need a data breach,” he said on his blog.
“Taking security seriously is something you need to do before a data breach, not something you say afterwards to placate people.”