5 Million VTech accounts hacked – kids’ data exposed

News Tips

Nothing says the holiday season like over-spending on toys and devices for our children. It really shows how much we care – right? Chances are, there is a toy or two on your kid’s list that has some type of connection to the web. Hell, they may already have a half-dozen or so already.

5 Million VTech accounts hacked – kids' data exposed

Raise your hand if your kid has a VTech toy that helps them with learning? It’s OK to admit, we own a few. For those of you who raised your hand, you may want to sit down before reading on.

On Cyber Monday, VTech announced that they were hacked some time in November, and that the hackers had compromised over 5 million user accounts on their network from one databases.

The hackers’ bounty included usernames, passwords, IP addresses and downloads – pretty standard fare for a database breach, right? However, that was the least of what the hackers made off with. You see the hackers also were able to gain birthdays, gender and names of the children and also nabbed 190 gigabytes of photos that include tens of thousands kids’ headshots.

Yes, you read that right. Tens of thousands of photos of kids and parents – intimate photos that no one wants to fall into the hands of evil doers.

According to the company’s FAQ statement, the breach may impact users in the United States, Canada, United Kingdom, Republic of Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, Australia and New Zealand.

Unfortunately, this story is still developing, so parents wondering if their family’s account was compromised will have to stand pat and wait. We will share more info as we know it as will my colleagues Mike and Chris over at Threatpost so be sure to keep checking back.

5 Million VTech accounts hacked – kids' data exposed

At the time of writing this post, you can shop ’til you drop at VTech’s online store. The company does not offer a disclaimer of the hack on their website’s homepage, but could you blame them when you’ve got the “Cyber Week Super Sale” and “Merry Must-Haves” front and center?

I love the smell of ecommerce in the morning, especially when buying for my kids. Ok – now that I got my sarcasm out of the way, the company does disclose the breach when you click on the “Downloads” section, which makes sense given that it is geared more to repeat customers – who potentially could be one of the 5 million.

5 Million VTech accounts hacked – kids' data exposed

This sucks – what can I do?

Unfortunately, as we continue down the path of more connectivity, we are going to be slapped with the harsh reality that there are evil folks out there who will look to exploit vulnerabilities in the products. In a recent interview, David Emm of our GReAT team opined:

“We live in a connected world, where even our children’s toys could become the means for personal data being captured by attackers. It’s really important that, when considering such toys this Christmas, parents look beyond the fun aspect of a toy and consider the impact it might have on their child and the wider family.”

5 Million VTech accounts hacked – kids' data exposed

So how can we keep Suzie and Billy safe? Here are a four tips:

  1. Guard your kids – When it comes to exposing children to the Web and/or connected devices it is a decision that can vary from parent to parent. However, we would urge you to do some research and decided what exposure you want out there when you are looking at exposing your children to the Web.
  2. No real data – Pop quiz: do you know why retailers ask for personal data when you sign up for a service or account to play online games? If you said ‘to enhance the experience,’ you are wrong. Sites that collect data use this to market to you, or sell the data to third party vendors, so that others can market to you. Think twice before giving them the leg up on your kids’ data.
5 Million VTech accounts hacked – kids' data exposed
  1. Photos are priceless – You know that saying, a photo is worth 1,000 words? While it may or may not be true, your kid is priceless. No one should be looking at photos of them, unless you want them to.
  2. Smart, not secure – We live in an age where everything from a Barbie to a fridge can be “smart” and connected. However, the downside is that in the creation of these devices, security is often not top of mind for the companies. If you don’t believe us, read up this tale that discusses hacked baby monitors.

At the end of the day, you are your best ally against cybercrime. The less you share, the less there is to get out there. As always we’re here to help and if you want to keep up with the latest news, be sure to follow us on Facebook or Twitter to keep up with the latest news.