First published: 28th November 2015
Hong Kong electronic toymaker VTech has admitted that an unauthorized party accessed VTech customer data housed on their Learning Lodge app store database on November 14, 2015. Learning Lodge allows VTech's customers to download apps, learning games, e-books and other educational content to their VTech products. The data breach includes the first name, gender and birthday of about 227,000 children and names, email addresses, passwords, and home addresses of 4,833,678 parents. The children's records can be linked to their parents, so effectively the full identity and home address of the children is exposed.
The "unauthorized party" responsible for the November 14 breach apparently contacted tech journalist Lorenzo Franceschi-Bicchierai of Motherboard who asked the creator of Have I been pwned? and web security blogger Troy Hunt to verify the data breach. Lorenzo also contacted VTech, but did not get a reply until days afterwards, on November 27. VTech released a press release on the data breach the same day.
When asked what the plan for the data was, the hacker responded "nothing" and claims to have only provided the data to Motherboard. If this is true, then the hacker is a whistleblower that has revealed VTech's negligent data protection.
Unfortunately, other attackers might have accessed the VTech data the same way. The hacker revealed that they gained access to the database using a SQL injection attack (SQLi). Such attacks have been common knowledge for a decade, and are easy to implement. There is even a a cartoon about SQL injection.
VTech has emailed its Learning Lodge customers concerning the breach. In the email, VTech emphasises that credit card, banking information, identity card numbers, social security numbers, and driving license numbers were not in the database. The potential for misuse of the data that has been revealed, however, is still enormous.