Recently, Hong Kong-based children’s technology maker VTech suffered what can only be described as a catastrophic data breach. In simpler terms, they were seriously hacked. While that seems to be par for the course in recent months, one very important thing sets this hacking incident apart from all the others – this time, the biggest victims? They were your kids.
The person or persons responsible for the hack reached out to Vice, who confirmed that the data was legitimate with external computer security experts. VTech is a surprisingly huge company: if you’re a parent, you’re almost certainly familiar with them, but even if you’re not, you’ve almost certainly seen their products in stores.
They’re known for selling stripped down, basic versions of popular technologies and toys, targeted at really young kids. Super sturdy versions of things like laptops and iPads, designed to engage children and teach them matching, letters, numbers – you get the idea.
It’s becoming increasingly clear that the breach was the result of utterly lax security measures on the part of VTech. Data is transferred without using HTTPS (the security protocols that encrypt data between your computer and a website; it’s responsible for protecting things like your bank account logins), some data was stored in plaintext (that means it wasn’t encrypted, so anyone could read it if they gained access to the servers), and passwords were stored using a long-known insecure technology.
VTech operates (well, operated, since, for the moment, the company has taken a number of the insecure websites offline) a website called the Learning Lodge – a kind of kid- and family-oriented app store for their proprietary products. It’s this store that was breached, so if you registered for an account there, your data might be out in the open. Nearly five million different accounts are involved, though some provide more information than others.
Here are some of the more serious things you need to know about this hack.
Here’s how to see if your data was hacked:
There’s a great resource to check and see if your data was involved in this VTech hack. It’s called Have I been Pwned?, or HIBP for short. HIBP collects the information released publicly by hackers and sifts through these data dumps to find email addresses of affected individuals. It collects these into a searchable database that you can use to see if your accounts are present.
The site doesn’t use your email address to send spam, only to see if you’ve been involved in one of these breaches. It keeps track of more than 250 million compromised accounts – if you want it to, it’ll store your email address, and alert you if it’s found in any future hacks. Currently, the site is tracking 4,833,678 different VTech accounts that were leaked online. It’s reportedly the fourth largest breach of consumer data ever.
Your credit card data wasn’t stolen:
VTech claims that they didn’t store any credit card data on the affected sites, and the hackers, reporters, and data dump itself would seem to corroborate their testimony. As part of the makeup of VTech’s Learning Lodge website, parents were directed to an unnamed external payments processor to process the credit card transactions.
That’s a lot of big words to say that VTech was smart enough to outsource the payment responsibilities to another company – they never even saw such financial data as your credit or debit card numbers.
You need to change all of your passwords, now:
We should all know better than to use a password for more than one site, and yet it’s one of the biggest security flaws that many people continue to practice. In this instance, the passwords were encrypted with a really weak algorithm known as MD5 – encryption that has been considered unsafe to use for over three years. VTech either knew, or should have known, that this technology was a poor choice to protect their users’ passwords. As it is, if you have an account with VTech, assume your password has been cracked.
What’s almost worse is that all the secret questions generally used to regain access to an account if you lose or forget the password, they were all stored in plaintext, or unencrypted. That means that if you gave VTech personal identifiers like your mother’s maiden name, your first pet, or the street you grew up on, it’s all been rendered insecure. Chances are good that you’ve used one or more of those secret questions on another website, which means you need to go change all of those answers, too.
Hackers can use this data to find your children:
One of the things that made VTech’s platform so easy to use for parents was the nature of its dual account setup. A parent created a main account, with full access to the account, its controls and data, its ability to buy apps, etc. The parent then created accounts for the children, which were tied back to the main account. It’s a virtual representation of your family, basically.
These child accounts were included in the data breach. At least 200,000 children are individually involved, and here’s where it gets truly scary. As part of the data breach, hackers accessed data stored by your children on VTech’s servers. Pictures. Chat logs between kids and their parents. Audio files recorded by children onto VTech toys.
And if you can believe it, it gets worse from there. While the child accounts didn’t contain things like home addresses, the parent accounts did. Since the child accounts were directly connected to their parent’s account, however…you can see where we’re going with this. It is literally possible to dig through the data, find a child, learn their name, gender, birthday, home address, who their parents are, what passwords their parents use, and any security questions their parents may have used. It would be pretty simple to take that information and sell it or use it for other nefarious purposes.
Here’s how to contact VTech if you’re concerned, and you should be:
VTech published a press release confirming the data breach (one of whose existence they remained blissfully unaware, until contacted by Vice). All told, 4,854,209 parent accounts were affected, in addition to a whopping 6,368,509 kid profiles worldwide, with the largest number of each belonging to the U.S.
The company is refusing to confirm the nature of the data affected, including whether the pictures and audio files recovered are from their service. They do say that pictures and audio are secured with a strong encryption algorithm (AES-128) – but it seems clear that hackers got their hands on more than a few.
If you want to get in contact with VTech, here’s a list of regional and corporate email addresses they provided:
- US: email@example.com
- Canada: firstname.lastname@example.org
- France: email@example.com
- Germany: firstname.lastname@example.org
- Netherlands: email@example.com
- Spain: firstname.lastname@example.org
- UK: email@example.com
- Australia and New Zealand: firstname.lastname@example.org
- Hong Kong: email@example.com
- Other countries and regions: firstname.lastname@example.org
The hacker(s) responsible for the data breach reportedly plans to do nothing with the data, telling Vice that, “Frankly, it makes me sick that I was able to get all this stuff.” While that may bode well for this particular instance, it isn’t unreasonable to assume that VTech may have suffered other data breaches in the past thanks to their antiquated security practices – so parents should remain vigilant.