Parents are understandably alarmed about the hack at VTech children’s toys, which was unveiled on Black Friday.
Evidently the VTech data breach reported just after Thanksgiving is far worse than believed just one week ago. While original estimates stated more than 225,000 children’s files were compromised, the Hong Kong-based children’s toy maker now believes 6.4 MILLION child files were compromised along with almost 5 million files containing parent information, making this a parental nightmare.
On December 2, the company updated its breach statement to reveal the huge spike in numbers. Statistically, the breach of children’s data is actually 30 times larger than first estimates.
The company traced the hack to its Learning Lodge service that lets parents download apps, games, e-books and other content to child learning devices. The company’s Kid Connect servers were also compromised. Kid Connect allowed parents to chat with their kids using a VTech tablet and a parent’s smartphone. Both services are currently suspended.
“Our investigation to date suggests the breach is on the server, not on the device itself. There is no evidence to suggest the toys are not safe at this time,” the company stated.
As with any breach, the first question is “What was stolen?” In this case, the answer is quite a lot. Parent info included name, email addresses, secret info for password retrieval, IP addresses, street addresses, download history and encrypted passwords. Children data included name, gender, and birthdate.
Some Learning Lodge content was reportedly encrypted, however. This list includes kid profile photos, undelivered Kid Connect messages, bulletin board postings and other content.
Rumors are rampant at the moment. Some indicate that child profile photos were compromised, but the company indicates those would have been encrypted. Audio files were also scrambled, but chat logs were stored in plain text.
VTech has not confirmed that these data files were compromised, citing an ongoing investigation. However, Motherboard recently posted photos its reporters obtained from an individual claiming to be the hacker. He reportedly told Motherboard’s staffer that he would not use or publish the data.
The only good news with this breach is that credit card data and items like Social Security numbers (SSN) were not involved. The really bad news is that when child and parent data are combined, a true profile of the youngster can be created.
The top concern in some parents’ minds will be the risk of stalking, child abduction or other harm. Yet, there’s a second major cause for concern. Child names and birthdates could be used to synthesize identities pairing them with SSNs available elsewhere to commit identity fraud.
Child identity fraud is more damaging that adult theft because those youngsters don’t need their own data for years to come. This fraud can go on for a much longer time before detection and could do a lot more damage. Often, child identity theft is only discovered when the youngster turns 18 and applies for their own checking account or credit card.
Australia-based data security expert, Troy Hunt, who runs a website on leaked data from breaches, warned users not to be lulled into a false state of calm by the company’s repeated references to encryption. He called the type of encryption used at VTech “weak MD5 hashes.” Hunt indicated VTech’s encryption could be easier to defeat than more robust methods.
Victims stretch around the globe, but the heaviest users of VTech services are located in the US, UK, France and Germany. If you are wondering whether your family’s data was compromised, there’s info on Hunt’s website, www.haveibeenpwned.com.
VTech has created an FAQ page on its main website to offer all the details they can share as of December 2.