The personal information of almost 5 million parents and more than 200,000 kids was exposed earlier this month after a hacker broke into the servers of a Chinese company that sells kids toys and gadgets, Motherboard has learned.
The hacked data includes names, email addresses, passwords, and home addresses of 4,833,678 parents who have bought products sold by VTech, which has almost $2 billion in revenue. The dump also includes the first names, genders and birthdays of more than 200,000 kids.
What's worse, it's possible to link the children to their parents, exposing the kids' full identities and where they live, according to an expert who reviewed the breach for Motherboard.
This is the fourth largest consumer data breach to date, according to the website Have I Been Pwned, the most well known repository of data breaches online, which allows users to check if their emails and passwords have been compromised in any publicly known hack.
The hacker who claimed responsibility for the breach provided files containing the sensitive data to Motherboard last week. VTech then confirmed the breach in an email on Thursday, days after Motherboard reached out to the company for comment.
"We were not aware of this unauthorized access until you alerted us."
"On November 14 [Hong Kong Time] an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database," Grace Pang, a VTech spokesperson, told Motherboard in an email. "We were not aware of this unauthorized access until you alerted us."
On Friday, I asked the hacker what the plan was for the data, and they simply answered, "nothing." The hacker claims to have shared the data only with Motherboard, though it could have easily been sold online.
VTech announced the breach publicly on Friday, but failed to disclose its severity. The press release doesn't mention how many records were lost, nor that the passwords stolen are poorly encrypted, or that the breach exposes the identities of children.
You might not have heard of VTech, but the company sells a plethora of kids' toys and gadgets, including tablets, phones, and a baby monitor. The company also maintains an online store, called Learning Lodge, where parents can download apps, ebooks, and games for VTech products.
When pressed, VTech did not provide any details on the attack. But the hacker, who requested anonymity, told Motherboard that they gained access to the company's database using a technique known as SQL injection. Also known as SQLi, this is an ancient, yet extremely effective, method of attack where hackers insert malicious commands into a website's forms, tricking it into returning other data.
The hacker was then able to break into VTech's web and database servers, where they had "root access"—in other words, access with full authorization or control. The hacker said that while they don't intend to publish the data publicly, it's possible others exfiltrated it first.
"It was pretty easy to dump, so someone with darker motives could easily get it," the hacker said in an encrypted chat.
"It was pretty easy to dump, so someone with darker motives could easily get it."
Motherboard reviewed the data with the help of security expert Troy Hunt, who maintains Have I Been Pwned.
Hunt analyzed the data and found 4,833,678 unique email addresses with their corresponding passwords. The passwords were not stored in plaintext, but "hashed" or protected with an algorithm known as MD5, which is considered trivial to break. (If you want to check whether you're among the victims, you can do it on Hunt's website Have I Been Pwned.)
Moreover, secret questions used for password or account recovery were also stored in plaintext, meaning attackers could potentially use this information to try and reset the passwords to other accounts belonging to users in the breach—for example, Gmail or even an online banking account.
"That's very negligent," Hunt said. "They've obviously done a really bad job at storing passwords."
For Hunt, however, the most worrisome element of the breach is the fact that it contains data about kids, and that it's possible to link the kids' database back to the parents, making it possible to figure out a kid's full name and home address.
"When it includes their parents as well—along with their home address—and you can link the two and emphatically say 'Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question),' I start to run out of superlatives to even describe how bad that is," Hunt wrote in a blog post he published on Friday.
With the Hunt's help, we reached out to victims to alert them of the breach, and find out how they felt.
"I was surprised and shocked to see my data breached on a 'child friendly' website," Cathryn Edwards, a mother from the UK, said in an email.
The sentiment of outrage was echoed by another victim, who asked to remain anonymous.
"Why do you need know my address, why do you need to know all this information just so I can download a couple of free books for my kid on this silly pad thing? Why did they have all this information?" the victim, who is a father also living in the UK, told Motherboard over the phone. "If you can't trust a company like that, then who can you trust with your information? It's kind of scary."
"I was surprised and shocked to see my data breached on a 'child friendly' website."
According to Hunt, it appears that parents still can't trust VTech. Apart from the breach, he also found a number of awful security practices during a "cursory review" of how the company handles data on its sites.
Hunt said that VTech doesn't use SSL web encryption anywhere, and transmits data such as passwords completely unprotected. (SSL is a technology used to protect data sent between a user and a website, and it's typically visualized with a green lock on the URL bar.) Hunt also found that the company's websites "leak extensive data" from their databases and APIs—so much that an attacker could get a lot of data about the parents or kids just by taking advantage of these flaws.
"The bottom line is that you don't even need a data breach," Hunt said. Still, he said this should serve as a lesson for VTech.
"Taking security seriously is something you need to do before a data breach, not something you say afterwards to placate people," he wrote in his blog post.
In this case, it appears the hacker decided not to profit by selling the data online. But next time, VTech might not be so lucky.