Massive Data Hack of a Kids' Tech Company's Servers Involved Photos, Addresses and More

Massive Data Hack of a Kids' Tech Company's Servers Involved Photos, Addresses and More

VTech is a Hong Kong-based company that produces electronic learning products for young children. It's also the latest company to be hit with a massive data hack — one that has affected nearly 5 million parents and over 200,000 children, leading to a breach of user photos, addresses, names, email addresses, chat logs and more.

By Monday, more details of the hack were revealed: The perpetrator told Motherboard he was also able to access photos of parents and children, as well as a year's worth of chat logs. VTech asks users to take and upload photos of themselves. While he has repeatedly said he won't do anything with the data — "it makes me sick that I was able to get all this stuff," he said — it's unclear if this will remain the case, or whether other third parties were able to access the same cache of private information.

A sampling of the hacked photos provided to Motherboard for verification.
Source: 
Motherboard

Motherboard first reported the incident on Friday. The hacker, who has thus far remained anonymous, broke into VTech's servers and accessed the "names, email addresses, passwords and home addresses" of 4,833,678 VTech customers. At the time, an expert who spoke to Motherboard noted that the hack left open the possibility of linking children — along with their full names and locations — to their exposed parents. 

On Monday, VTech put out a press release clarifying the nature of the breach. (The company had previously provided comment on Friday, though only after the Motherboard investigation came to light.)  

"VTech Holdings Limited noted that an unauthorized party accessed VTech customer data housed on our Learning Lodge app store database on 14 November 2015," the statement said. "Upon discovering the unauthorized access on 24 November 2015, we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks." 

In the statement, VTech asserted that their customer database doesn't include credit card information, nor does it store "personal identification data ... such as ID card numbers, Social Security numbers or driving license numbers."

Yet the information included, coupled with the sheer number of users targeted, was enough to set off alarm bells: Reuters reported on Monday that various U.S. states, including Connecticut and Illinois, had opened investigations into the breach. 

The breach also included audio files, one of which the hacker shared with Motherboard.

Source: Soundcloud

There may be complicated consequences. Besides the complex nature of the hack itself, the breach also raises questions about the security precautions — or the lack thereof — of other major companies. 

As a corporation that makes nearly $2 billion in revenue, one would expect VTech to have decent security measures in place. Yet according to some experts, the nature of the company — it makes toys and cordless phones — means it may not be fully prepared to do so.

"VTech is a toymaker and I don't expect them to be security superstars," Tod Beardsley, security research manager with Rapid7 Inc., and security and analytics company, told Reuters. "They are amateurs in the field of security."

This is, in a sense, both good and bad: More sophisticated firms, like those that hold the keys to highly personal financial or medical data, likely have more refined techniques in place to protect data. But this doesn't mean that less "serious" companies can ignore security precautions, especially when the wellbeing of minors is at play. 

In fact, it's companies like these that may pose the most danger to everyday users. Few people could have predicted that VTech would be hit with a massive security breach, and that's exactly what makes it so vulnerable.

Source: YouTube

"You have all these devices and services that are connecting to the Internet by companies that don't have the experience that older software companies do in securing their data," Katie Moussouris, chief policy officer with HackerOne, a vulnerability management company, told Reuters.

An anonymous VTech hack victim who spoke to Motherboard expressed concern that products used for his child could leave him vulnerable to an attack.

"Why do you need know my address, why do you need to know all this information just so I can download a couple of free books for my kid on this silly pad thing? Why did they have all this information?" he said. "If you can't trust a company like that, then who can you trust with your information? It's kind of scary."

Indeed, it's a question worth asking — both now and, it seems, for the foreseeable future

Mic has reached out to VTech for comment, and will update if we hear back.

How much do you trust the information in this article?

Sophie Kleeman

Sophie is a staff writer at Mic covering the intersection of tech and culture. She's based in New York and can be reached at sophie@mic.com.

MORE FROM

Warrant suggests Justine Damond may have slapped police cruiser before she was fatally shot

The officers involved in the shooting remain on paid administrative leave.

House passes new sanctions against Russia by an enormous margin

The bill also places limits on Trump’s power to ease or end penalties against Russia.

Paul Manafort is meeting with Senate investigators. Here’s what we know about his Russia ties.

Paul Manafort has Russia links dating back more than 10 years.

Yes, Donald Trump can fire Robert Mueller. Here’s how he can do it.

It's a complicated process, and it could get messy, but he can do it.

Charlie Gard’s parents say they want to take their son home to die

The parents are returning to court to fight for their right to take their son home.

Vatican shuts off historic fountains in the midst of devastating drought

Officials say it's the first time they can recall ever shutting off the Vatican's fountains.

Warrant suggests Justine Damond may have slapped police cruiser before she was fatally shot

The officers involved in the shooting remain on paid administrative leave.

House passes new sanctions against Russia by an enormous margin

The bill also places limits on Trump’s power to ease or end penalties against Russia.

Paul Manafort is meeting with Senate investigators. Here’s what we know about his Russia ties.

Paul Manafort has Russia links dating back more than 10 years.

Yes, Donald Trump can fire Robert Mueller. Here’s how he can do it.

It's a complicated process, and it could get messy, but he can do it.

Charlie Gard’s parents say they want to take their son home to die

The parents are returning to court to fight for their right to take their son home.

Vatican shuts off historic fountains in the midst of devastating drought

Officials say it's the first time they can recall ever shutting off the Vatican's fountains.