It has come to light that earlier this month, popular children’s computer company VTech were the victims of an attack by an unnamed hacker. The hacker was able to gain access to around 5 million user’s credentials, including the 200,000 children whose data was stored by VTech’s Learning Lodge online service.
The data was leaked as parts of the credentials may include details such as their names, email addresses and home addresses. Additionally included in the leak were the security questions and answers of the users, meaning cracking of the users passwords would not be necessary to compromise accounts and if the same password reset information was used on another site, those accounts would also be vulnerable. The scariest part is that the details of the children recorded by VTech included their names, birth dates and genders and could be used to link them to their parent’s accounts, providing those with sinister motives access to the locations of countless children. According to the site Have I Been Pwned, a reputable repository of data breaches, this breach is the fourth largest leak of consumer data to date.
Thankfully, in an interview with Motherboard, the hacker, when asked what he intended to do with the data replied with “nothing”. And while he intends to do nothing with it, warned that others may have extracted data from the site before him, due to the ease of attack. The technique used to break into the site was an SQL injection, an old and simple way of attacking vulnerable websites, typically executed by inputting malicious code into the forms on a website, to manipulate it into performing an attackers desired operations. After using this to gain full access to the systems and databases, the attacker had free access to all of the data within.
And while VTech has responded to the breach by promising to “look at additional ways to strengthen our Learning Lodge database security.” However, this may not be enough. Following the attack, security expert Troy Hunt, as well as examining the data to assess the extent of the leak, went on to do a cursory security review of Vtech’s Learning Lodge site. He warned that the lack of encryption anywhere on the site as well as the site’s databases and APIs had the tendency to leak data mean that there didn’t even need to be a data breach for user information to be at risk.
If you are a user of the Learning Lodge site and wish to enquire further with VTech, they have set up a series of email accounts to handle them, which can be found here.
It should be considered fortunate that the perpetrator of this attack was willing to bring the breach to light and has no ill intentions for the data acquired, however, it is still unacceptable for a company that handles data, especially on vulnerable parties such as children, to engage in such poor security practice.