Digital story, BrainJet, December 2015
When someone hacks into your information, it's never fun. But it's doubly heinous when it happens to your children.
In November 2015, digital toymaker VTech was hit by a cyber attack that expert security analysts are calling the largest such attack on kids' information; the intrusion exposed data for about 6.4 million children. Even more recently, hackers hit VTech a second time, accessing a service that stores headshots and data for both kids and parents.
"This breach is a parent's nightmare of epic proportions," Seth Chromick, a threat analyst with network security firm vArmour, said in a CNBC article. "A different approach to security for all organizations is needed."
But how did this happen?
The breach initially occurred through VTech's Learning Lodge app store database, which allows customers "to download apps, learning games, e-books and other educational content to their VTech products," according to the company's statement about the hack. Hackers also obtained data through VTech's Kid Connect, in which parents and children can chat via an app on a smartphone and a VTech tablet.
"In total 4,854,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected, which includes approximately 1.2 million Kid Connect parent accounts. In addition, there are 235,708 parent and 227,705 kids accounts in PlanetVTech. Kid profiles unlike account profiles only include name, gender and birthdate," VTech reports in an FAQ about the breach.
Motherboard, a Vice publication, broke the initial story about the Learning Lodge hack and followed up with an article that shared information directly from someone claiming to be one of the hackers. The hacker reportedly provided Motherboard with a number of files to prove his or her involvement in the attack.
"While probing VTech servers, the hacker found tens of thousands of pictures of parents and kids. Some are blank, or duplicates, so it’s hard to establish exactly how many are legitimate pictures," Motherboard reports. "But the hacker said he was able to download more than 190GB worth of photos, and considering that there were 2.3 million users registered in the Kid Connect service, it’s likely there were tens of thousands, or more, headshots of parents and kids, according to the hacker."
The relatively easy access to data at VTech, which is based in Hong Kong, is raising concerns about cybersecurity.
"This case will lead many toy companies to rethink their security protections for children's data," said Shai Samet, founder of Samet Privacy, which audits toymakers for compliance with the U.S. government's Children's Online Privacy Protection Act.
VTech's internet-connected toy lines include the Kidizoom Smart Watch DX and the InnoTab Learning Tablet and are meant for infant-preschool kids. The company has suspended its breached websites and has outlined additional privacy steps in an FAQ.