Children's Photos Among Data Stolen in Hack of Toy Maker VTech
It’s a parent's worst nightmare: Photos of their kids’ smiling faces stolen by a stranger online, along with identifying information including their names, genders, birth dates, mailing addresses and the contents of their private chats.
Thanks to a security breach at toy maker VTech, that nightmare just became a reality for thousands of parents.Yesterday, the children’s toymaker admitted that it’s on the hook for exposing all of the above private data, plus additional personal information.
The alarming breach, apparently perpetrated by a white hat hacker on a mission to reveal cracks in VTech’s security protocols, was first uncovered by Motherboard. The anonymous hacker told the publication that she has no intention of publishing or selling the stolen data. Her sole aim, she says, is to raise awareness and alert parents.
“Frankly, it makes me sick that I was able to get all this stuff,” she told Motherboard. “VTech should have the book thrown at them.”
In addition to eyeing a flurry of proprietary personal data, she claims she accessed tens of thousands of photos of kids and parents on VTech’s servers, many of them headshots.
For any questions in regards to our recent security breach, please reach out to our team at: firstname.lastname@example.org or 1-800-521-2010.— VTech Toys (@vtechtoys) November 30, 2015
The Hong Kong-based electronics giant confirmed in a statement that a Nov. 14 hack of its “Learning Lodge” app store database betrayed the intimate details of nearly 5 million adult customer accounts, including IP and email addresses, passwords, login secret questions and answers and device download histories. The statement does not mention the theft of photos.
While customers’ credit card data was not compromised, the identifying information of some 200,000 children was also exposed. Learning Lodge enables VTech product users -- mainly kids -- to download educational games, ebooks and apps to their Internet-connected VTech toys.
If not for Motherboard’s investigation into the anonymous hacker’s claims, VTech might never have picked up on its servers’ vulnerabilities. VTech claims it has since corrected its server susceptibilities and says it is taking added steps to bolster security. The company has also emailed every customer in its Learning Lodge database to inform them of the hack.