Previous Story
Cybernetic Attack on VTech’s Learning Lodge
Posted On Nov 30 2015
Comment: Off
Learning Lodge, which is similar to app stores like Google Play, is aimed at parents, offering them additional educational content that can be downloaded onto various VTech devices. However, VTech probably came to know of the hack on November 23, after a journalist’s inquiry about the data breach.
The database contains customer data including name, email address, password, IP address, mailing address and download history.
VTech notes the database did not store credit card information or personal identification data such as social security numbers. There were over 200,000 records for children, including their “first names, genders and birthdays”.
This link exposed almost a quarter of a million young children’s complete identities and addresses to hackers.
The data involved was collected via VTech’s Learning Lodge website, where parents must register in order to use many of VTech’s toys, the company said. VTech is the latest in a series of major technology companies to have its security breached and customer details stolen.
What’s worse is that the toy maker was not aware of the security breach until the alleged hacker himself reported it to Motherboard. The purported hacker, said the report, was quoted as saying that he plans to do “nothing” with the information.
Vtech publicly announced the hack this morning, though it completely failed to mention just how severe the hack was, or how many people were affected by the attack.
The company, who sells electronic learning products for children from infancy to preschool, confirmed the hack and said in an email that there was “unauthorised access” to its database on 14 November.
VTech has since revealed some details of the breach publicly while notably holding back on the severity of the comprehensive breach.
Motherboard contacted security expert Troy Hunt, who maintains the site Have I Been Pwned; Hunt analyzed the data and found 4,833,678 unique email addresses and the users’ hashed passwords which are easy to break. Further, the company said that it does neither store or process any customer credit card data on the Learning Lodge website. However if the program does not validate the entry is the correct format then the hacker can enter any SQL query and effectively dump all the data from the database to the screen or to a file.
