In the aftermath of the Vtech hack, security researchers have accused the toy manufacturer of not storing passwords in its database in a secure way.
Security researchers pointed fingers at Vtech, noting that the company ignored common steps and basic security protocols to safeguard customer passwords in the event of a breach.
Vtech emailed customers this Monday to let affected customers know that their passwords, while encrypted initially, may have been decrypted by the hacked who obtained them.
Trend Micro cybersecurity researcher Rik Ferguson told the BBC Vtech had avoided to properly scramble customer passwords within its database. Furthermore, the database also contained the customers’ security questions and answers for a password reset, in plain text.
The researcher also added that the hash used by the company to store passwords on the website was not of a sufficient security grade. In other words, a seasoned hacker easily figure the stored passwords on the website. Routinely, the hashing process is aided with a ‘salt’ or randomly generated text that is laced onto the user’s password, before the scrambling process. When this occurs, an extra layer of complexity is introduced to ensure that each hash is different, even if two separate users have fundamentally chosen the same password. Such security measures ensure that malicious hackers or attackers would find it both impractical and laborious to decrypt or deduce passwords of millions of customers.
Related article: Toymaker Breach Exposes Millions of Families’ Details
As it turns out, Vtech did not salt any of its customers’ passwords which make them vulnerable to a hash table attack or an exploit.
Ferguson explains the process:
If you know the algorithm, you can take a dictionary of known words or commonly used passwords and generate all the hashes for them.
That gives you a rainbow table and you can then look to see if any of the hashes match those in the customer database.
A hash table exploit is rendered impractical and useless when salting is introduced precisely because of the unique algorithm or ‘rainbow table’ required for every unique user on the database.
To make matters worse, Ferguson notes that Vtech used a vulnerable algorithm that is notably exploitable.
“They made a poor choice,” he says. “The MD5 algorithm has been known to be flawed for a decade. It is unforgivable for a technology company making products for children. They had an enormous duty of care and they failed.”