According to the website Have I been pwned?, a site that makes it easy for consumers to check and see if their online information has been compromised, it's the fourth largest consumer data breach ever. It affects more than 4 million adults, but more worryingly, nearly 300,000 kids. And the information that was compromised is pretty personal stuff.
The dump includes things like children's full names, their age, their gender and their home address, as well as passwords and security questions. And that's just the stand-alone kid data. Records were kept in a specific way that assigned a number to each parent, and their children got a matching number. That means that in the data breach, if a parent's information is available, it wouldn't be hard to find the corresponding child's information. Troy Hunt, who runs Have I been pwned?, summed it up very well in a blog post he wrote on the VTech breach:
When it’s hundreds of thousands of children including their names, genders and birthdates, that’s off the charts. When it includes their parents as well – along with their home address – and you can link the two and emphatically say 'Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question)', I start to run out of superlatives to even describe how bad that is.
VTech has assured consumers that social security and credit card numbers are not at risk, since payments are handled through a third party. That's good news, but when it comes to privacy issues that affect children, it's safe to say that parents are less worried about their credit card information and more worried that such personal information about their children is potentially so easily accessed.
To that end, the details surrounding the how and when of this breach are pretty alarming. VTech allegedly didn't even know it was happening. Instead the hacker reached out to a journalist over at Vice Motherboard, who in turn contacted the company. So it learned about the hack secondhand.
Besides that, the security in place was lax, to put it gently. In the dump, passwords are encrypted using a rudimentary hash that is easy to decipher, and the hacker was able to gain access using what's known as an SQL injection, a method that's considered both easy to execute and shamefully easy to defend against.
Not only was the information easy to steal, but the data is still very vulnerable. Hunt was intentionally vague about what VTech's security flaws are, so as not to encourage malicious hackers to exploit them, but he identified and sent what he saw as serious security lapses to VTech and had this to say on what it will take to get the site up to snuff:
"I’ll say this much here: there’s no simple fix. The flaws are fundamental and the recommendation I’ve passed on is to take it offline ASAP until they can fix it properly. You just can’t take chances with other people’s data in this way, especially not when they’re kids."
VTech has said it has reached out to anyone who was potentially compromised in the breach, so you should know by now if you or your child's information was compromised. If you'd like to double check, you can use Have I been pwned? to enter the email you used to register with VTech's Learning Lodge service or one of its other websites.
It doesn't look like this hack was malicious. When the hacker reached out to Vice, he claimed to have no plans for the data, so apparently this was done for no reason other than to ostensibly show how easily it was obtained. He also remarked to the Vice reporter that "it was pretty easy to dump, so someone with darker motives could easily get it."
As this situation unfolds, VTech has said it will continue to update consumers on its website, or you can email the company at one of the email addresses it has set up to handle inquiries. If you're in the United States, that email address is firstname.lastname@example.org.
And you'll see personalized content just for you whenever you click the My Feed .
SheKnows is making some changes!