The latest details about a recent security breach at a kids’ toy company are in, and they are disturbing. A couple weeks ago, hackers successfully broke into the servers of connected toy maker Vtech and stole the personal information of nearly 5 million parents and over 200,000 nearly 6.4 million kids. What we didn’t know until now: The hackers stole pictures of kids, too. [Updated 12.01.2015 2:30pm]
This is very bad. The hacker’s identity is still unknown, but he’s been updating Motherboard with details about the hack. When the story broke a couple days ago, the site reported that the hacker broke into Vtech’s servers and stole the names, emails, passwords, download histories, and home addresses of 4,833,678 parents 4,854,209 parents who bought the company’s devices. The massive batch of data also contained the first names, genders, and birthdays of over 200,000 6,368,509 children, according to Vtech. Motherboard’s Lorenzo Francheschi-Bicchierai identified the hack as “the fourth largest consumer data breach to date.”
But then, this afternoon, the story took a turn for the terrifying when it became clhe hacker gained such broad access to Vtech’s servers that he also downloaded about 190-gigabytes of photos from the company’s Kid Connect service. This is a simple little app that lets parents chat with their kid using a Vtech tablet and a smartphone. The images themselves appear to be headshots that Vtech encourages its users to upload when using the app.
In a sense, the hack is comparable to someone breaking into Facebook and making off with all of your private information and photos. The major difference, of course, is that we’re talking about a company that makes devices for small children. The wifi-connected Vtech tablets are recommended for children between the ages of three and nine. Vtech also makes a digital camera and a camera-mounted smartwatch for the same age range. It’s certainly not the kids’ fault that a random hacker can see what they’re doing with their toys.
It is, however, Vtech’s fault. The news is dire enough that the company suspended trading on the Hong Kong stock exchange earlier today. This. after security researcher Troy Hunt revealed that Vtech failed to take even the most basic steps to secure its customers data—and their children’s. He writes:
For example, there is no SSL anywhere. All communications are over unencrypted connections including when passwords, parent’s details and sensitive information about kids is transmitted. These days, we’re well beyond the point of arguing this is ok – it’s not. Those passwords will match many of the parent’s other accounts and they deserve to be properly protected in transit.
You’d think if you were a children’s toy company hosting photos and addresses of small children on your server you’d at least encrypt the connections. The Vtech hacker says he used an old school SQL injection to break in and get root access to the company’s servers. “It was pretty easy to dump, so someone with darker motives could easily get it,” he told Motherboard. For what it’s worth, the hacker says he doesn’t plan on publishing the data publicly.
It’s hard to decide if you want to be horrified or downright angry about this situation. On one had, the Sony hack and Target breaches have shown that anyone can be an unwitting victim to a company’s weak security. However, the especially terrible security at Vtech makes you wonder if you should even be letting kids play with internet-connected toys. After all, it was just a few months ago that we learned how the new “Smart Barbie” could spy on kids. What else can go wrong?
I don’t have kids, so my opinion on this matter is somewhat uninformed. I do remember that my first favorite toy was Socrates, an educational robot made by—guess who—Vtech. Who knows what I typed into that little grey box of fun. If my parents ever had half of a suspicion that some pervert could gain access to my toy and watch me play, well, it probably would’ve been back to a Lego-only playtime for me. Now, in 2015, this is a very real possibility.
Say what you will about connected toys and cheap electronics for kids, but this Vtech bonanza should serve as a wakeup call to any and every company cutting corners on security. It should also be a weighty reminder to parents who would buy these devices that companies do cut corners on security. This not only puts their personal data at risk. Neglect puts kids at risk, too.
Update 12.01.2015 2:30pm: Vtech just published an FAQ about the hack, confirming what data was and was not compromised. The company says “An investigation is on-going” as to whether and how many photos may have been stolen, though it insists the photos were encrypted. We’ve updated this post with the latest numbers. Here’s Vtech’s breakdown:
In total 4,854,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected, which includes approximately 1.2 million Kid Connect parent accounts. In addition, there are 235,708 parent and 227,705 kids accounts in PlanetVTech. Kid profiles unlike account profiles only include name, gender and birthdate.
Image via Flickr / Getty
Contact the author at adam@gizmodo.com.
Public PGP key
PGP fingerprint: 91CF B387 7B38 148C DDD6 38D2 6CBC 1E46 1DBF 22A8