Massive Data Hack of a Kids' Tech Company's Servers Involved Photos, Addresses and More

Impact

VTech is a Hong Kong-based company that produces electronic learning products for young children. It's also the latest company to be hit with a massive data hack — one that has affected nearly 5 million parents and over 200,000 children, leading to a breach of user photos, addresses, names, email addresses, chat logs and more.

By Monday, more details of the hack were revealed: The perpetrator told Motherboard he was also able to access photos of parents and children, as well as a year's worth of chat logs. VTech asks users to take and upload photos of themselves. While he has repeatedly said he won't do anything with the data — "it makes me sick that I was able to get all this stuff," he said — it's unclear if this will remain the case, or whether other third parties were able to access the same cache of private information.

Motherboard

Motherboard first reported the incident on Friday. The hacker, who has thus far remained anonymous, broke into VTech's servers and accessed the "names, email addresses, passwords and home addresses" of 4,833,678 VTech customers. At the time, an expert who spoke to Motherboard noted that the hack left open the possibility of linking children — along with their full names and locations — to their exposed parents. 

On Monday, VTech put out a press release clarifying the nature of the breach. (The company had previously provided comment on Friday, though only after the Motherboard investigation came to light.)  

"VTech Holdings Limited noted that an unauthorized party accessed VTech customer data housed on our Learning Lodge app store database on 14 November 2015," the statement said. "Upon discovering the unauthorized access on 24 November 2015, we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks." 

In the statement, VTech asserted that their customer database doesn't include credit card information, nor does it store "personal identification data ... such as ID card numbers, Social Security numbers or driving license numbers."

Yet the information included, coupled with the sheer number of users targeted, was enough to set off alarm bells: Reuters reported on Monday that various U.S. states, including Connecticut and Illinois, had opened investigations into the breach. 

The breach also included audio files, one of which the hacker shared with Motherboard.

Source: Soundcloud

There may be complicated consequences. Besides the complex nature of the hack itself, the breach also raises questions about the security precautions — or the lack thereof — of other major companies. 

As a corporation that makes nearly $2 billion in revenue, one would expect VTech to have decent security measures in place. Yet according to some experts, the nature of the company — it makes toys and cordless phones — means it may not be fully prepared to do so.

"VTech is a toymaker and I don't expect them to be security superstars," Tod Beardsley, security research manager with Rapid7 Inc., and security and analytics company, told Reuters. "They are amateurs in the field of security."

This is, in a sense, both good and bad: More sophisticated firms, like those that hold the keys to highly personal financial or medical data, likely have more refined techniques in place to protect data. But this doesn't mean that less "serious" companies can ignore security precautions, especially when the wellbeing of minors is at play. 

In fact, it's companies like these that may pose the most danger to everyday users. Few people could have predicted that VTech would be hit with a massive security breach, and that's exactly what makes it so vulnerable.

"You have all these devices and services that are connecting to the Internet by companies that don't have the experience that older software companies do in securing their data," Katie Moussouris, chief policy officer with HackerOne, a vulnerability management company, told Reuters.

An anonymous VTech hack victim who spoke to Motherboard expressed concern that products used for his child could leave him vulnerable to an attack.

"Why do you need know my address, why do you need to know all this information just so I can download a couple of free books for my kid on this silly pad thing? Why did they have all this information?" he said. "If you can't trust a company like that, then who can you trust with your information? It's kind of scary."

Indeed, it's a question worth asking — both now and, it seems, for the foreseeable future. 

Mic has reached out to VTech for comment, and will update if we hear back.