Vtech, the electronic toy maker which sells a wide array of products — ranging from interactive toy cars and tracks to tablets, cameras, games, and e-books — has been hacked, with millions of users reportedly affected.
The Hong Kong-based toy making giant sent out emails to consumers this week, stating that their app store, Learning Lodge — where parents can buy and download games, books, music, and other things related to their interactive toys — was hacked by an as of yet unknown hacker, on November 14, and that the information of approximately 4.8 million families was stolen from their database, reports the BBC. The information stolen from the toy maker’s website affects families from all over the world, including the U.S., Canada, the United Kingdom, Ireland, France, Germany, Denmark, China, Australia, and New Zealand, to name a few.
In an email sent directly to affected customers, Vtech’s president King F. Pang notified Learning Lodge users of the hack, and that certain bits of user information was compromised, including IP addresses, passwords, and mailing addresses.
“Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.”
Included in the toy maker hack were the names, birth dates, ages, and genders of approximately 227,000 children, according to the Register.
Also in the email, Pang attempts to reassure customers by pointing out that no credit card information was stolen, as it is not kept in the Learning Lodge database, but instead, in order to complete a transaction, consumers are taken to a third-party website.
“It is important to note that our customer database does not contain any credit card or banking information. VTech does not process or store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.
“In addition, our customer database does not contain any personal identification data (such as ID card numbers, Social Security numbers or driving license numbers).”
What makes matters worse is that the toy maker didn’t even know about the security breach until the hacker himself reported it, according to Motherboard. The website also reported that an expert who reviewed the database information retrieved from the toy maker hack says that it is possible to link the affected children to their parents, thus exposing their home addresses and full identities.
Vtech publicly announced the hack this morning, though it completely failed to mention just how severe the hack was, or how many people were affected by the attack.
The biggest problem, says Professor Alan Woodward, cyber security expert at Surrey University, is that it seems the electronic toy company may have been subjected to a hacking technique called SQL Injection — a very old hacking trick that employs the use of username and password input boxes to send a request to the database, which then allows a hacker to download the entire database, if they so wish.
“If that is the case then it really is unforgivable – it is such an old attack that any standard security testing should look for it. If initial reports are correct then they should be taking their website connection to their databases offline immediately until they can discover how this was done and correct the issue.”
What’s more, reports the Register, is the toy maker uses an incredibly weak form of password encryption known as MD5, which allows for the easy cracking of simplistic passwords, such as “Welcome123.”
Vtech says that they are currently investigating the hack, and are searching for ways to improve security for their Learning Lodge app. Hopefully this will serve as a lesson for the toy maker, and they will stop using rudimentary security techniques to protect such important information.
[Photo by Oli Scarff/Getty Images]