Toy maker hack exposes data on 200K children

Toy maker hack exposes data on 200K children
© Getty Images

The educational toy maker VTech confirmed on Friday that it has been the victim of a cyberattack, potentially exposing the personal details of hundreds of thousands of children.

The breach targeted customers of VTech’s app store, Learning Lodge. While the company has yet to confirm the number of individuals affected, Motherboard reports that the hacker turned over stolen data for almost 5 million users to the publication.

The data dump included names, email addresses, passwords and home addresses for the purchasing parents and included first names, genders and birthdays for over 200,000 children.

It is possible to link those 200,000 kids to their parents, exposing their full identities and home addresses, according to Motherboard.

The hacker claiming responsibility for the breach appears to have only shared the information with Motherboard and says he is going to do “nothing” with the data, the publication reports.

“It was pretty easy to dump, so someone with darker motives could easily get it,” the hacker said.

VTech has temporarily closed the Learning Lodge site while it investigates the breach. The company is assuring users in a statement that no payment information was accessed because the site directs customers to a secure, third-party payment gateway during the check-out process.

The company also says that no personally identifiable information — such as a driver’s license or Social Security number — was accessed in the breach.

The stolen data did include so-called security questions, used by many sites to verify user identity. Attackers could potentially use that information to gain access to other accounts belonging to victims — such as a bank account or Gmail.

Security expert Troy Hunt, who maintains the well-known data breach resource Have I Been Pwned, pointed to the dangers of exposing children’s information in a blog post published Saturday.

“When [the data] includes their parents as well — along with their home address — and you can link the two and emphatically say ‘Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question),’ I start to run out of superlatives to even describe how bad that is,” Hunt wrote.

VTech was not aware of the hack until Motherboard contacted the company, according to the publication.

“On November 14 [Hong Kong Time] an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database,” Grace Pang, a VTech spokeswoman, told Motherboard in an email. “We were not aware of this unauthorized access until you alerted us.”

Have I Been Pwned ranks the hack as the fourth-largest in history.