MANILA, Philippines – Chinese tech toy maker VTech is the latest victim of a major data breach.

The company announced on Friday, November 27, that a hacker hit VTech’s Learning Lodge app store database on November 14, finding the customer data of 4.8 million parents and over 200,000 children.

VTech’s statement said that the customer database did not contain credit card information or personal identification data like social security numbers, but did have “general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.”

Motherboard wrote in its report that the accessed data include “names, email addresses, passwords, and home addresses of 4,833,678 parents who have bought products sold by VTech, which has almost $2 billion in revenue. The dump also includes the first names, genders and birthdays of more than 200,000 kids.”

Because of the nature of the information, it’s possible to link the children to the parents, exposing their identities and locations.

Speaking with the hacker via encrypted chat, Motherboard said the hacker accessed the database via SQL injection, a common attack type in which hackers “insert malicious commands into a website’s forms, tricking it into returning other data.”

While the hacker said he did not intend to make the data public, it is possible that others got to the data ahead of him.

“It was pretty easy to dump, so someone with darker motives could easily get it,” the hacker said.

According to Have I Been Pwned, a data breach repository, the VTech breach is now the fourth largest consumer data breach to date.

Troy Hunt, who maintains Have I Been Pwned, wrote in a blog post that VTech had major security failings.

Hunt wrote: “For example, there is no SSL anywhere. All communications are over unencrypted connections including when passwords, parent’s details and sensitive information about kids is transmitted.” 

There was also “the extensive use of Flash,” which has been notably problematic due to its security issues.

Hunt added: “What really disappoints me is the total lack of care shown by VTech in securing this data. It’s taken me not much more than a cursory review of publicly observable behaviors to identify serious shortcomings that not only appear as though they could be easily exploited, evidently have been. Despite the frequency of these incidents, companies are just not getting the message; taking security seriously is something you need to do before a data breach, not something you say afterwards to placate people.” – Rappler.com

Background image from Shutterstock