Digital Journal
4th largest data breach ever affects 5m parents, 200k children
By: James Walker
The Chinese maker of some of the most popular tablet computers for young children has suffered a severe data breach. Hackers accessed VTech's servers and stole the personal information of nearly 5 million parents and over 200,000 kids.
VTech is the creator of devices including the InnoTab tablet and DigiGo phone. Its products have a target audience of very young children who would find an actual smart device too intimidating. It builds rugged, kid-friendly versions of the latest gadgets. Its range currently includes phones, tablets, game consoles, cameras and a smart watch.
Motherboard learnt yesterday that the company experienced a major data breach earlier this month. VTech has not yet made all the details public but the hacked data is understood to include the names, email addresses, passwords and home addresses of some 4,833,678 parents who have bought the company's devices. The names, genders and birthdays of over 200,000 child users have also been stolen.
The hacker who claims responsibility for the attack gave the files of sensitive data — delivered as gigabytes of databases and comma-separated values — to Motherboard. VTech confirmed the breach is genuine this Thursday, telling Motherboard: "On November 14 [Hong Kong Time] an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database. We were not aware of this unauthorized access until you alerted us."
An expert who reviewed the breach at Motherboard's request found there is sufficient data to link individual children with their parents, making the data dump the fourth largest in history according to website Have I Been Pwned. The site lets anybody type in their email address to see if it is included in any of the known data breaches it tracks.
Troy Hunt, founder and maintainer of Have I Been Pwned, analysed the data. He found passwords were hashed but only using the MD5 algorithm, a method that can be reversed in under a second. Passwords could easily be reset as account recovery information was stored in plain text.
Even more seriously, Hunt found VTech doesn't use SSL encryption anywhere on their website and therefore transmits login credentials across the Internet without any protection. He warned that parents shouldn't trust the company with their data and said he has "complete confidence" in the legitimacy of the dump.
VTech publicly admitted it had been attacked in a statement yesterday. It did not disclose the severity of the breach though, failing to mention the number of affected customers or type of data stolen. The company says it is conducting a "thorough" investigation.
The hacker responsible told Motherboard he has no plans to exploit the data haul. Apparently, it has so far been shared only with the news site and not offered for sale online, even though it could be worth thousands.
The attacker claims SQL injection was used to access VTech's systems, a technique that is highly effective but relatively easy to guard against. It works by forcing a website to reveal usually private data by entering an unexpected form value. Because most forms send their input to code that interacts with a database, the input may be interpreted as a raw database command if not sanitized correctly.
Therefore, if a hacker enters the SQL database command to select data into a form that does not correctly filter its input, the database may receive the input as a command instead of a text query and dump the contents directly onto the webpage. This suggests there are open security holes on VTech's website. The hacker said "it was pretty easy to dump" and added any other attacker with "darker motives" could probably still access it today.
