News

Data on Thousands of Children Exposed in VTech Hack

It has come to light that earlier this month, popular children’s computer company VTech were the victims of an attack by an unnamed hacker. The hacker was able to gain access to around 5 million user’s credentials, including the 200,000 children whose data was stored by VTech’s Learning Lodge online service.

The data was leaked as parts of the credentials may include details such as their names, email addresses and home addresses. Additionally included in the leak were the security questions and answers of the users, meaning cracking of the users passwords would not be necessary to compromise accounts and if the same password reset information was used on another site, those accounts would also be vulnerable. The scariest part is that the details of the children recorded by VTech included their names, birth dates and genders and could be used to link them to their parent’s accounts, providing those with sinister motives access to the locations of countless children. According to the site Have I Been Pwned, a reputable repository of data breaches, this breach is the fourth largest leak of consumer data to date.

Thankfully, in an interview with Motherboard, the hacker, when asked what he intended to do with the data replied with “nothing”. And while he intends to do nothing with it, warned that others may have extracted data from the site before him, due to the ease of attack. The technique used to break into the site was an SQL injection, an old and simple way of attacking vulnerable websites, typically executed by inputting malicious code into the forms on a website, to manipulate it into performing an attackers desired operations. After using this to gain full access to the systems and databases, the attacker had free access to all of the data within.

And while VTech has responded to the breach by promising to “look at additional ways to strengthen our Learning Lodge database security.” However, this may not be enough. Following the attack, security expert Troy Hunt, as well as examining the data to assess the extent of the leak, went on to do a cursory security review of Vtech’s Learning Lodge site. He warned that the lack of encryption anywhere on the site as well as the site’s databases and APIs had the tendency to leak data mean that there didn’t even need to be a data breach for user information to be at risk.

If you are a user of the Learning Lodge site and wish to enquire further with VTech, they have set up a series of email accounts to handle them, which can be found here.

It should be considered fortunate that the perpetrator of this attack was willing to bring the breach to light and has no ill intentions for the data acquired, however, it is still unacceptable for a company that handles data, especially on vulnerable parties such as children, to engage in such poor security practice.

Alexander Neil

Disqus Comments Loading...

Recent Posts

Trust Gaming GXT 609 Zoxa 2.0 PC Speakers

SOUNDS GREAT – Full stereo sound (12W peak power) gives your setup a booming audio…

4 hours ago

PowerA Wired Controller for Nintendo Switch

Special Edition Yoshi design Ergonomic controller shape with Nintendo Switch button layout Detachable 10ft (3m)…

4 hours ago

Logitech G Saitek PRO Flight Rudder Pedals

Fluid Motion: These flight rudder pedals are smooth and accurate that enable precise control over…

4 hours ago

Logitech G Saitek Farm Sim Controller

Heavy Equipment Bundle: Includes a steering wheel for heavy machinery, gas and brake pedals, and…

4 hours ago

Razer Ornata V3 X – Low Profile Gaming Keyboard

Low-profile Keys for an ergonomic gaming experience. With slimmer keycaps and shorter switches, enjoy natural…

4 hours ago

Glorious Gaming Model O Wired Gaming Mouse

Size & style: Ambidextrous lightweight mouse for gaming. Built for speed, control and comfort, with…

4 hours ago