Selfies of children and their parents were part of data stolen in the VTech hack that saw more than five million customers’ details illegally accessed.
Advertisement
Motherboard, which first reported the story and is in contact with the person claiming responsibility for the hack, had previously said the personal information of some 5 million parents and 200,000 children was jeopardized.
As well as shutting its app store temporarily, VTech has suspended 13 of its associated websites as a precautionary measure.
In a press release, the company stated that the customer database includes name, email address, password, secret question and answer for password retrieval, IP address, mailing address and download history.
The affected database doesn’t contain any credit card numbers, or personally identification information such as Social Security or driver’s license numbers, VTech says. We are committed to protecting our customer information and their privacy. The breach occurred on November 14, 2015, and VTech notified customers on November 27.
While according to a security expert at Surrey University Professor Alan Woodward, the data hack of the Hong Kong-based toy manufacturer may just have been a case of simple hacking technique called SQL injection.
Customers from the US and 15 other countries are affected.
The company said the security breach hit its Learning Lodge online store, where customers can download apps, ebooks and games. Hunt believes that users should not expect that VTech has shored up the breach yet.
The hacker, whose identity was not revealed, said he or she was able to collect conversations and headshots from the company’s Kid Connect service, which allows parents and kids to chat via a smartphone app and VTech tablet. Hunt added that the security flaws could have been identified by VTech “if only they’d looked”.
Advertisement
The company says emails have been sent to all account holders informing them of the data breach. After receiving the email, Vtech said it “carried out an internal investigation and detected some irregular activity” on the Learning Lodge site. In this type of attack, a hacker inserts malicious commands into a website’s forms to trick it to return data.
