UPDATED 9:15 a.m. and 4 p.m. EST Tuesday, Dec. 1 with additional information.
Another day, another compromised customer database. This time, an attacker hit a customer-information database belonging to the Hong Kong-based tech-for-tots company VTech.
Information pertaining to both parents and their children — including parents' full names, email addresses and physical addresses, and children's first names and dates of birth — was apparently poached, although VTech has not attributed this theft to any specific person or persons.
Australian security researcher Troy Hunt found that the VTech database contained 4.8 million unique customer accounts and 227,622 child account records, both related to VTech's Learning Lodge app store.
More significantly, Hunt explained that most of the user passwords were encrypted with the very weak MD5 algorithm, without "salts" that would make them harder to crack. Many free software programs can crack unsalted MD5 passwords, and you can even try it yourself here. Hunt said the database also held answers to password-change security questions, which were stored without any encryption at all.
Children's last names and addresses were not part of the stolen data, but each child was linked to a parent's account. If a child shares a surname and physical address with a parent, the child is at heightened risk of identity theft, as a full name, date of birth and mailing address are often sufficient to open a fraudulent account.
According to VTech, the attack happened Nov. 14, but that the company only discovered the attack when "a Canadian journalist" — presumably Lorenzo Franceschi-Biccherai, a Italian journalist working in New York for the (formerly Canadian) VICE Motherboard tech-news website, and who broke the story — inquired about the breach Nov. 23.
Franceschi-Biccherai reported that VTech was hit by a simple SQL-injection attack, a common method of breaching online databases that even the teenager next door could probably pull off. VTech said it informed customers about the attack Nov. 27, but claimed user credit-card information was safe, as purchases are made through a secure off-site, third-party partner.
What to do
If you are a parent with a Learning Lodge account, you should check Hunt's Have I Been Pwned? website, which compiles information from data breaches and now includes customer accounts stolen from VTech.
If you have a Learning Lodge account at all, you should change your password immediately, and also change the password on any other online account for which you used the same password. While we do not recommend users ever reuse passwords across different accounts, this is a great time for VTech users to make sure their Learning Lodge account passwords aren't the same as those they use to log into their other online accounts.
Additionally, since the answers to security questions were also stolen, VTech users should no longer use those answers for security questions again. Instead, we suggest you use incorrect answers to questions like “Who was your favorite teacher?” and keep track of these answers in a password manager or notebook.
The only possible good news here is that the purported hacker told Franceschi-Biccherai that he or she had no intention of selling or distributing the stolen information. But we've got only the hacker's word for that.
UPDATE 9:15 a.m. Tuesday: The unnamed hacker who stole the VTech data told VICE Motherboard in a story posted Monday (Nov. 30) that the data also contained "thousands of pictures of parents and kids and a year's worth of chat logs," and some audio files. The new files were related to Kid Connect, a VTech mobile app for iOS and Android that lets parents communicate with kids who are using VTech devices.
The hacker told Motherboard that he downloaded 190GB of images, mostly headshots of parents and children. He shared nearly 4,000 of the images with Motherboard.
"Frankly, it makes me sick that I was able to get all this stuff," the hacker told Motherboard's Lorenzo Franceschi-Biccherai. "VTech should have the book thrown at them."
UPDATE 4 p.m. EST Tuesday: VTech has updated its FAQ on the data breach with the news that profiles of 6.4 million children, including first (but not last) names, birthdates and genders, were compromised. The children's profiles were linked to the 4.8 million parent accounts.
About 2.2 million parent accounts and 2.9 million child profiles were from the United States; 238,000 accounts and 316,000 child profiles belonged to Canadian users. Other countries with large numbers of compromised accounts and profiles were France, the United Kingdom and Germany.
VTech has assigned dedicated email addresses in different countries to which concerned customers can direct queries. American customers can email email@example.com; Canadian customers should contact firstname.lastname@example.org.
The company would not confirm that images of and chats between parents and children had been compromised, as reported earlier, but noted that the images and audio files were "encrypted by AES128," referring to a common encryption algorithm. Motherboard's report did not mention any difficulty in viewing the images or listening to audio files.
"Regretfully, our database was not as secure as it should have been," the updated company FAQ now states.