VTech breached, customer data stolen. Change your password now!

What’s worse that a data breach of your personal data?

A data breach of your personal data and the personal data of your children.

That’s what may have happened – or may not, it’s still not clear – at electronic toy vendor VTech.

VTech makes educational electronic toys, and runs an online store called Learning Lodge, where you can shop for downloads for your VTech products.

Actually, right now you can’t shop for anything, because the site is temporarily shuttered following a data breach.

VTech’s own statement on the breach isn’t terribly reassuring:

VTech Holdings Limited today [2015-11-27] announced that an unauthorized party accessed VTech customer data housed on our Learning Lodge app store database on November 14, 2015 HKT

. . .

Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.

From the above, VTech certainly makes it sound as though the company has “done an Adobe“, storing passwords encrypted (so that if someone figures out the decryption key, they can recover all the passwords at once), and keeping password recovery information entirely unencrypted.

Adobe famously lost more than 100 million records in which password hints were not encrypted, meaning that many people’s passwords were easy to figure out.

To add to the trouble, everyone with the same password had the same encrypted data string to represent it, so that if anyone else had the same password as you, and was silly enough to put his password in the hint…then he revealed your password at the same time.

VTech certainly makes it sound as though the company stored your password in a way that it could recover it, rather than using industry-standard practice (known as salt-hash-stretch) that merely allows password to be verified.

After all, the official statement talks about a “secret question and answer for password retrieval”, as though the company will send you a copy of your password (presumably via email) if you can answer that secret question.

What we’re hoping is that VTech really meant to say that it stores your passwords hashed, not encrypted.

And we’re hoping it meant that those secret question and answers are for password reset, which is quite a different beast from retrieval.

(Hint to VTech: these would be surprisingly useful details to clarify as soon as possible.)

Having said that, what was lost – especially as it seems to include everyone’s password reset/recovery data in plain text – is a serious matter, because it is data that crooks can use in other attacks.

Whether a crook wants to convince other people that he knows a lot about you, even though he’s never met you, or wants to convince you that he’s contacting you legitimately by referring to things you wouldn’t expect an outsider to know…

…the more factoids he can piece together about you and your lifestyle, the greater the criminal success he is likely to have.

Worse still in the case of this breach is the suggestion on the BBC’s website that data from the theft has already surfaced online and includes children’s names, dates of birth and genders.

Let’s hope that VTech are able to provide some clarity about the situation soon – whether the news gets better or worse, it’s only the truth that can really help now.