Massive Hack on Toy Company is ‘Off the Charts,’ Says Security Analyst

The latest massive cyberattack, this one targeting toy company Vtech, proves that anyone, kids included, are vulnerable to hackers.

Vtech, which makes a variety of electronic learning toys for children, announced that its app store database, Learning Lodge, was hacked Nov. 14, exposing the personal information of more than 5 million of its customers and related kids’ profiles. Learning Lodge allows Vtech customers to download apps, games, e-books and other educational content to its Vtech products, including its InnoTabs.

The toymaker said after it discovered the data breach, it immediately took action to prevent further attacks.

“We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future,” Vtech said in a statement. “The investigation continues as we look at additional ways to strengthen the security of all online services provided by VTech.”

Here’s what you need to know about the Vtech hack:

• Who was affected? The data breach exposed 5 million Vtech customer accounts from around the globe – the United States included. Profiles for children were also exposed.
• When did the data breach occur? According to Vtech, the security breach occurred Nov. 14 and was discovered 10 days later.
• What information was exposed in the hack? Vtech said its customer information, including names, email addresses, encrypted passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses and download history was exposed. Although no credit card information was affected, security experts say the data breach is still huge because sensitive information was stolen. “When it’s hundreds of thousands of children including their names, genders and birth dates, that’s off the charts,” security analyst Troy Hunt wrote in a blog post. “When it includes their parents as well – along with their home address – and you can link the two and emphatically say ‘Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question)’, I start to run out of superlatives to even describe how bad that is.” Hunt also added that the passwords exposed are not encrypted.
• Is Vtech contacting affected customers? According to the toymaker, it’s sending out emails to all account holders to alert them of the breach. You can also click here to check. If you have questions about the hack, email [email protected].

Hunt, who discovered and confirmed the Vtech data breach, said the toymaker needs to significantly step up how it secures its customers’ data because the company’s security still has gaping holes.

“Taking security seriously is something you need to do before a data breach, not something you say afterwards to placate people,” Hunt wrote in his blog.

If you want to see if your account has been compromised in a data breach, click here to check.

I have purchased Vtech toys for my children and registered on the toymaker’s Learning Lodge site, and according to haveibeenpwned.com, my information and my children’s information were exposed in Vtech’s data hack. Great.

It’s infuriating to me to think that my children’s personal information has been hacked because of the information that Vtech requires you to fill out before you can download books and games on its online app store.

What do you think of Vtech’s data breach? Do you think companies are doing enough to protect your personal information? Share your comments below or on our Facebook page.