"On November 14 [Hong Kong Time] an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database," Grace Pang, a VTech spokesperson, told Motherboard in an email. "We were not aware of this unauthorized access until you alerted us."On Friday, I asked the hacker what the plan was for the data, and they simply answered, "nothing." The hacker claims to have shared the data only with Motherboard, though it could have easily been sold online.VTech announced the breach publicly on Friday, but failed to disclose its severity. The press release doesn't mention how many records were lost, nor that the passwords stolen are poorly encrypted, or that the breach exposes the identities of children.
"We were not aware of this unauthorized access until you alerted us."
Motherboard reviewed the data with the help of security expert Troy Hunt, who maintains Have I Been Pwned.Hunt analyzed the data and found 4,833,678 unique email addresses with their corresponding passwords. The passwords were not stored in plaintext, but "hashed" or protected with an algorithm known as MD5, which is considered trivial to break. (If you want to check whether you're among the victims, you can do it on Hunt's website Have I Been Pwned.)
"It was pretty easy to dump, so someone with darker motives could easily get it."
According to Hunt, it appears that parents still can't trust VTech. Apart from the breach, he also found a number of awful security practices during a "cursory review" of how the company handles data on its sites.Hunt said that VTech doesn't use SSL web encryption anywhere, and transmits data such as passwords completely unprotected. (SSL is a technology used to protect data sent between a user and a website, and it's typically visualized with a green lock on the URL bar.) Hunt also found that the company's websites "leak extensive data" from their databases and APIs—so much that an attacker could get a lot of data about the parents or kids just by taking advantage of these flaws."The bottom line is that you don't even need a data breach," Hunt said. Still, he said this should serve as a lesson for VTech."Taking security seriously is something you need to do before a data breach, not something you say afterwards to placate people," he wrote in his blog post.In this case, it appears the hacker decided not to profit by selling the data online. But next time, VTech might not be so lucky.
"I was surprised and shocked to see my data breached on a 'child friendly' website."