Learning Lodge is an app store for VTech devices that features learning games and other educational tools. The company assures users in a statement that no payment information was accessed, as the site directs customers to a secure, third-party payment gateway during the check-out process.
Advertisement
The hackers gained access to sensitive information such as email addresses, passwords, and home addresses of 4,833,678 consumers who have bought products sold by VTech.
VTech stresses its customer database doesn’t include any credit card information or social security numbers. The data hack also includes the first names, genders and birthdays of over 200,000 children.
Over 200,000 children have also been affected, with name, gender, age, and material that could directly link them with their parents’ aforementioned info compromised.
In response to the hack, VTech closed temporarily its Learning Lodge store and is working to improve the site’s security.
In its press release, VTech shares that the hacker was able to retrieve general profile information such as name, email address, encrypted password, secret question, and answer for password retrieval as well as IP address, mailing address, and download history information. VTech is the latest in a series of major technology companies to have its security breached and customer details stolen.
Hong Kong-based VTech, meanwhile, issued a prepared statement on its website, saying that it is not sure how many records were taken. What makes this hack particularly devious and upsetting, is that children are impacted.
VTech has since revealed some details of the breach publicly while notably holding back on the severity of the comprehensive breach.
It was pretty easy to dump (steal), so someone with darker motives could easily get it.
From there, the attacker is said to have gained root access to the company’s web and database servers.
Advertisement
Security expert Troy Hunt claims that the actual hack was most likely done through supplying structured query language commands to the website database, since it was left exposed to the internet, allowing anyone to interact with the information store without authentication. The method is nothing new but remains quite effective for insert malicious commands into a website’s forms, which tricks it into returning other kinds of data than expected.
