On Friday, VTech announced that a large amount of customer data had been hacked. All users with Learning Lodge app store accounts had their data accessed. This customer database breach included unauthorized access to “general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history,” Vtech shared.
While the announcement didn’t share how many accounts had been access, Motherboard reports the hack involved breach of some 5 million parents and 200,000 children’s personal and private data.
The Vtech hack, which was achieved by breaking into the Chinese company’s servers is especially alarming as it not only revealed the names, genders and birthdays of the 200,000 children, it also made it possible for attackers to link children with their parents.
This link exposed nearly a quarter of a million young children’s complete identities and addresses to hackers.
The VTech breach is the fourth largest consumer data breach to date. While the hackers who claim responsibility for the breach don’t have any plans to use the information in a sinister way or sell it online, the attack, nonetheless, revealed some alarming weaknesses in VTech’s information security practices.
According to Motherboard, who was contacted by the hackers claiming responsibility, the attack was accomplished by accessing to the company’s database via SQL injection. The method is nothing new but remains quite effective for insert malicious commands into a website’s forms, which tricks it into returning other kinds of data than expected.
After obtaining root access, the hackers then broke into the VTech database servers where they were able to access the entire Learning Lodge customer database.
“It was pretty easy to dump, so someone with darker motives could easily get it,” the hacker told Motherboard in an encrypted chat.
When security researcher Troy Hunt analyzed the data hackers provided, he discovered that nearly 5 million unique emails were stored there alond with passwords only protected by an MD5 hash which is pretty simple to break.
Hunt also discovered that customers’ secret questions and answers for account recovery were stored in plaintext which would allow attackers ot do a number of nefarious deeds such as reset password to other online accounts like email, banking or retail accounts.
The poor manner in which passwords, and security questions were stored is quite alarming as it places users’ privacy and security and heightened risk.
Besides these poor practices in storing information, Hunt also discovered Vtech’s data transmission practices were far from secure.
According to Hunt, VTech doesn’t use SSL web encryption anywhere. This means data like passwords are transmitted completely unprotected, while the company’s websites leaked extensive data from their databases and APIs. This means, even without conducting a breach like the hackers revealed this week, an attacker could still get a lot of data about the parents or kids.
The breach and the addition security issues Hunt discovered reveal that Vtech is not taking user security very seriously, the researcher shared in a blog post about the matter.
“Taking security seriously is something you need to do before a data breach, not something you say afterwards to placate people,” Hunt wrote.
