The Hong Kong-based electronics giant confirmed in a statement that a November 14 hack of its “Learning Lodge” app store database betrayed the intimate details of almost 5 million adult customer accounts, including IP and email addresses, passwords, login secret questions and answers and device download histories.
Advertisement
If not for Motherboard’s investigation into the anonymous hacker’s claims, VTech might never have picked up on its servers’ vulnerabilities.
VTech said in a statement that children’s profiles included name, gender and birth date.
As many as 5 million accounts and 200,000 child accounts were targeted, the company said.
“It is important to note that our customer database does not contain any credit card information and VTech does not process nor store any customer credit card data on the Learning Lodge website”, the company said.
Motherboard even posted what is claimed to be a recording of a discussion between a child and their parent.
VTech shut down its “Learning Lodge” that is used by parents and children to purchase items and download new games and apps. Audio clips of children speaking have also reportedly been found on the server. No payment information was compromised. “Clearly manufacturers should be taking greater care over data security and privacy, but parents should also be more careful with their children’s personal information”, he explained in an email to FoxNews.com. VTech has suspended both services and 13 websites.
How did the hacker(s) get in? These passwords, however, were hashed using a specific algorithm known as MD5, which has been said to be easy to crack. SSL is a commonly used security feature used across the Internet. This is sort of the Ashley Madison for children.
Hackers were able to pull childrens’ photos, chat logs and other personal data stored in VTech accounts, according to blogger Troy Hunt, who tracks data security breaches and said he was the first to notify VTech about the hack.
Advertisement
When Motherboard reached out to VTech for comment, the company’s spokesperson responded, “We were not aware of this unauthorized access until you alerted us”.
