VTech hack exposes personal data for 4.8 million kids, parents

In a Twitter post published on Monday, Hong Kong toy manufacturer VTech Holdings issued an apology for the recent hack of its Learning Lodge app store database.

The attorney-generals of CT and IL in the United States have said they would probe the breaches, though their representatives declined to comment on the focus of their inquiries.

According to Tech Times, data of over 200,000 children, including those from U.S., Canada, Ireland, Germany and Australia, were obtained.

The VTech app store, which is called “Learning Lodge”, lets parents and kids download apps, games, and other content onto VTech devices.

The stolen customer information from the VTech database includes names, birth dates, and genders of child users.

However, VTech stressed that the database does not contain any credit card information and it does not process nor store any customer credit card data on the Learning Lodge website.

The good news is that according to VTech’s press release, their database doesn’t contain credit card information.

The alleged mastermind behind the fourth largest consumer data breach told Motherboard that the hack exposed other sensitive information, including children’s photos and chat logs between kids and parents. A popular toymaker was hacked last week, exposing the personal information of millions of customers. And Hong Kong’s privacy commissioner for personal data said he would check whether VTech was following data privacy principles. But the hacker at the centre of the attack claims to have access to chat logs and personal information.

“The breach is a timely reminder to change your passwords on a regular basis and check to see what data security measures you have in place in your home”.

An anonymous researcher discovered a trivial exploit that allowed them to export over 4 million individual parent records and about 280,000 child records.

The leaked data doesn’t appear to have been used for criminal purposes yet, VTech said. A company’s spokesperson has confirmed that an “unauthorized party” accessed its Learning Lodge app database on November 14.

VTech says that, “in total 4,854,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected, which includes approximately 1.2 million Kid Connect parent accounts”. VTech has suspended both services and 13 websites.