An unauthorized party accessed VTech customer data housed on our Learning Lodge app store database on November 14, 2015 HKT.
Advertisement
The alleged mastermind behind the fourth largest consumer data breach told Motherboard that the hack exposed other sensitive information, including children’s photos and chat logs between kids and parents.
As soon as we get some more details about what the company will be doing about the issue and also why they were storing the photos on their servers, we will let you guys know.
In trying to limit the damage and ease the concern of clients, VTech released a statement saying that no financial or payment details had been stolen.
On Monday, VTech suspended 13 of its websites and said the affected customers were notified. That is in addition to records for 4.9 million adult customers VTech had previously said were affected.
Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.
If not for Motherboard’s investigation into the anonymous hacker’s claims, VTech might never have picked up on its servers’ vulnerabilities.
Australian computer security researcher Troy Hunt has called the company “massively negligent”, according to Fairfax Media.
Customers from the US and 15 other countries are affected. He says that this is extremely risky, especially when it comes to registering accounts with passwords and personal data. Converting those hashes into their original passwords is possible using decoding tools and powerful graphics processors.
Further analysis by Hunt showed it is easy to match the registered accounts of parents with their registered children.
Advertisement
“The flaws are fundamental, and the recommendation I’ve passed on is to take it offline ASAP until they can fix it properly”, Hunt wrote. “There are specific controls that must be adhered to in collecting and using children’s data, and several companies have been fined to date for non-compliance”, Bower said. “A different approach to security for all organizations is needed”.
