Toymaker Breach Exposes Millions of Families’ Details

VTech, a Chinese toy company that makes popular electronic gadgets and toys for kids has had its servers hacked to reveal a data breach that reveals the personal information of more than 5 million parents and 200,000 children.

Chinese toy company VTech has confirmed an ‘unauthorized party’ that accessed customer information in a database serving VTech’s Learning Lodge app store earlier this month. This app store is specifically crafted for parents to download e-books, games and applications along with educational content to VTech devices.

Motherboard reported the hack and noted that the breached database contained information such as parents’ names, email addresses, passwords, mailing addresses, download history and even IP addresses. The company did not reveal how many customers were affected but did confirm no credit card details were breached, since they weren’t stored to begin with.

Furthermore, the database also included the kids’ first names, birthdays and genders. Motherboard was even contacted by the anonymous hacker who claimed to be behind the breach. When asked what he intends to do with it, the hacker said “nothing”.

The hacker added:

It was pretty easy to dump, so someone with darker motives could easily get it.

The hacker further revealed he had “root access” or unrestricted access with full authority to access and control the data in the servers.

The hacked database stored information of customers from the following countries:

  • United States
  • Canada
  • United Kingdom
  • Ireland
  • France
  • Spain
  • Germany
  • Belgium
  • Denmark
  • Luxembourg
  • Hong Kong
  • China
  • Australia
  • New Zealand, among others.

Related article: 13 Million Passwords Leaked from 000Webhost Breach

When contacted by the publication, a spokesperson for VTech said the following via email:

On November 14 [Hong Kong Time], an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database. We were not aware of this unauthorized access until you alerted us.

Troy Hunt, an independent security researcher who was reached by the publication to verify the data revealed the Chinese toymaker to operate without any usage of SSL encryption anywhere on its website or servers.

Alarmingly, passwords and other data that ought to be encrypted in a secure communication stream are essentially unprotected. He also discovered the company’s websites to extensively leak data from their APIs and databases in such a way that a malicious attacker could easily gain data by simply exploiting the readily visible flaws.