VTech Toys Hacked : More Than 6 Million Children Targeted

The data was stored in VTech’s “Learning Lodge” app store, where customers of the Hong Kong-based company can download apps, games, e-books, and other content for VTech products.

In VTech’s case, information that should have been obscured and unrecoverable if the database were breached – such as passwords and secret answers – either wasn’t obscured at all or was done so improperly, said Larry Salibra, founder and chief executive of crowd-sourced bug-testing platform, Pay4Bugs. Vtech insisted the database does not contain any credit card information.

In the last statement issued, VTech said that no payment details were included in the hacked information.

The information does not extend to credit card details, but does include plenty of identity theft opportunities.

The hacker told Motherboard he or she used SQL injection to gain access to the company’s database, “an ancient, yet extremely effective, method of attack”, according to Motherboard. VTech customers should also keep an eye out for so-called phishing attacks, or email that appears to be from a trusted source and that asks for personal information or directs recipients to log into bogus sites.

According to Motherboard, the breach also included the first names, genders and birth dates of more than 200,000 children.

Customers affected by the database breach include those residing in the United States, Canada, UK, Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, Australia, and New Zealand, the company says.

Motherboard first reported the breach after coming in contact with the hacker who claimed responsibility for the breach (he/she provided files packed with sensitive data to Motherboard).

That is in addition to records for 4.9 million adult customers VTech had previously said were affected.

Earlier this morning, VTech gave a status update, describing that the initial breach occurred on November 14.

“Upon discovering the unauthorized access on 24 November 2015, we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks”. Shares were suspended on Monday and trade in other Vtech securities has also been suspended, the company said.