Toymaker Hacked in Latest Data Breach

Black FridayOn Black Friday, electronic toymaker VTech Holdings announced that it has been the victim of a data breach that compromised information about 4.8 million parents and 200,000 children.

The Hong Kong-based company reported than an “unauthorized party” accessed data in its Learning Lodge app store database on November 14. The company only learned about the breach when it was contacted by a Canadian reporter for Motherboard, after which it performed an internal investigation and discovered “irregular activity.”

The Learning Lodge allows customers to download apps and educational games to VTech products, such as tablet computers designed for kids.

According to the company,

Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.

The company says the customer database does not include credit card information or Social Security numbers.

Happy Birthday?

However, according to the Sydney Morning Herald the leaked information also includes the first names, genders and birthdays of children.

According to an expert consulted by the Motherboard site, “it’s possible to link the children to their parents, exposing the kids’ full identifies and where they live.”

Motherboard also said that the passwords were “poorly encrypted”:

The passwords were not stored in plaintext, but “hashed” or protected with an algorithm known as MD5, which is considered trivial to break.


secret questions used for password or account recovery were also stored in plaintext, meaning attackers could potentially use this information to try and reset the passwords to other accounts belonging to users in the breach—for example, Gmail or even an online banking account.

The Injection Method

The hacker told Motherboard that s/he

gained access to the company’s database using a technique known as SQL injection. Also known as SQLi, this is an ancient, yet extremely effective, method of attack where hackers insert malicious commands into a website’s forms, tricking it into returning other data.

The hacker was then able to break into VTech’s web and database servers, where they had “root access”—in other words, access with full authorization or control.

The hacker told Motherboard that s/he didn’t plan to do anything with the data. However, the hacker noted that others might have broken into the VTech system earlier – and might be willing to sell or use the data.

“It was pretty easy to dump, so someone with darker motives could easily get it,” the hacker said.

International Customers

Whereas many large data breaches, such as those at Target and Home Depot, have affected mainly US consumers, the VTech breach is international. The company says its database has information on customers in the US, Canada, UK, Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, Australia, and New Zealand.

Children and Identity Theft

According to the US Federal Trade Commission,

A child’s Social Security number can be used by identity thieves to apply for government benefits, open bank and credit card accounts, apply for a loan or utility service, or rent a place to live.

Children are especially vulnerable to identity theft because they don’t check their credit reports or have legitimate financial accounts via which they might be alerted to unusual activity.

The FTC says warning signs that a child might have been the victim of identity theft include when you and/or your child:

  • are turned down for government benefits because the benefits are being paid to another account using your child’s Social Security number
  • get a notice from the IRS saying the child didn’t pay income taxes, or that the child’s Social Security number was used on another tax return
  • get collection calls or bills for products or services you didn’t receive

Has your child’s identity been stolen?

People can check whether their account data has been compromised in a data breach on the “have I been pwned?” site. However, just because an email address isn’t on there today doesn’t mean that account information won’t show up tomorrow.

Parents can also contact each of the three nationwide credit reporting companies and ask for a manual check for any files relating to the child’s name or social security number.  According to the FTC,

If your child’s credit report shows the child’s information is being misused, call each credit reporting company. Ask each company to remove all accounts, account inquiries, and collection notices from any file associated with your child’s name and Social Security number.

Contact every business where your child’s information was misused. Ask each business to close the fraudulent account and flag it to show it resulted from identity theft.

Parents can also ask one of the credit reporting companies to place a fraud alert on the child’s credit report, since once a child’s data is “out there” others may try to use it again. That one company will then contact the other two.

According to the FTC,

It’s a good idea to check whether your child has a credit report close to the child’s 16th birthday. If there is one — and it has errors due to fraud or misuse — you will have time to correct it before the child applies for a job, a loan for tuition or a car, or needs to rent an apartment.

Will they never learn?

Despite the steady increase in the number and severity of data breaches, companies seem to think they’re immune and continue to use sloppy, lazy, outdated data “protection” practices.

It’s clear that businesses around the world won’t change their ways until consumers and lawmakers demand it.

To learn how PACid’s dynamic encryption can protect consumers from hackers, please click here.