The hacked database included a lot of customer data, including some details about children, and the company was told about the breach by a journalist.
VTech confirmed Monday that the database contains user profile information including name, email address, password, secret question and answer for password retrieval, IP address, mailing address and download history.
The affected database doesn’t contain any credit card numbers or personal identification information such as Social Security or driver’s license numbers, VTech says. The database houses information for its Learning Lodge app store, where users download apps and other content for VTech devices.
The Hong Kong-based company sells rudimentary tablets such as the InnoTab and learning toys for toddlers. A VTech spokeswoman told Motherboard the company was unaware of the breach until the Motherboard journalist reached out to them for a comment.
The information stolen in the VTech hack, such as the names of children, could also be used to make phishing email more convincing, according to Ashbel. VTech stored all children’s passwords on plain text and adults’ passwords on an extremely outdated encryption system that was so weak that “they may as well have not even bothered”, according to cybersecurity expert Troy Hunt.
While the hack was damaging enough for the company, Vice reported that other forms of sensitive data were also left on VTech’s servers, including the photos of many children using the company’s products and the chat logs between children and their parents.
Thanks to a security breach at toy maker VTech, that nightmare just became a reality for thousands of parents.
As more devices are connected to the Internet and as companies increasingly collect personal information about their customers, such attacks are expected to increase.
While customers’ credit card data was not compromised, the identifying information of some 200,000 children was also exposed.
The Learning Lodge app store is a service that lets people buy educational apps and games.
Vtech said it has taken steps to prevent further attacks but did not provide details. Motherboard points out that it would be possible to link the children to their parents, exposing their home addresses and last names.
Toy maker Vtech hit by cyber attack