VTech Cyber Attack: 4.8 Million Accounts Hacked Via Kiddie App Store
VTech, a Chinese maker of kids' electronic toys, confirmed a hacker was able to access and retrieve information from its Learning Lodge app store. The hack reportedly includes data from almost five million accounts.
The attack happened on Nov. 17, but VTech only released a statement after a week, on Nov. 24.
"We were not aware of this unauthorized access until you alerted us," said Grace Pang, a VTech spokesperson, told Motherboard in an email.
In its press release, VTech shares that the hacker was able to retrieve general profile information such as name, email address, encrypted password, secret question, and answer for password retrieval as well as IP address, mailing address, and download history information.
The company emphasizes that its Learning Lodge customer database does not store credit card information and any personal identification data like ID card numbers, driving license numbers, and Social Security numbers.
Motherboard sent the data to Troy Hunt, a security expert who maintains Have I Been Pwned site. After analyzing the hack data, Hunt found out that it contained 4.8 million unique email addresses, their corresponding passwords, and secret questions used for password or account recovery, among other things.
Hunt, however, was worried about finding data on children that can be linked to their parents' information. He was also disappointed by the "total lack of care shown by VTech in securing this data."
"It's taken me not much more than a cursory review of publicly observable behaviours to identify serious shortcomings that not only appear as though they could be easily exploited, evidently have been," he writes.
Users whom Motherboard reached out to were shocked and outraged at the hack and by how much information the company needed to store to enable their purchase.
The Learning Lodge is a store where customers can download apps, ebooks, learning games, and other educational content on their VTech products. The hack involves information on customers from the United States, United Kingdom, Australia, France, Germany, Spain, Ireland, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, and New Zealand, reports CNET.