Really? What was in there?
According to the company’s breach notification, the intruder got at general user profile information including names, email addresses, encrypted passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses and download histories – personal data pertaining to both customers and their kids.
As Motherboard reported, the tally included names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 children.
But wait, it gets worse.
Motherboard on Monday reported that the breach also included thousands of pictures of parents and kids, plus a year’s worth of chat logs stored online in a way that the publication said was “easily accessible to hackers,” as well as audio recordings, some of which are of kids’ voices.
The intruder said that the data comes out of VTech’s Kid Connect, a service that allows parents and kids to chat via a mobile phone app and a VTech tablet.
You can use Kid Connect for more than just text chat: users can also snap headshots and record voice messages, as the company’s online tutorial describes.
So, it appears, images of kids have been accessible to anyone who knew how to get at them.
The same goes for parents’ images: their faces, potentially surrounded with cartoon renditions of, say, a princess, labelled “Mommy,” have been easily accessible to anyone who might have figured out how to get at the data, as the intruder in this case said he did.
Match that up with home addresses, children’s first names and their birth dates and, well, the intruder’s right: it’s stomach-churning.
In a breach notification updated on Monday, VTech said that customers in the affected database are from the US, Canada, the UK, Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, Australia and New Zealand.
The company also said that, “as a precautionary measure,” it’s taken down some of its vulnerable portals, such as the Learning Lodge, as well as 13 other websites.
As of Tuesday morning, VTech hadn’t responded to Motherboard’s request for clarifications as to why the company even stored this information on their servers in the first place.
As Naked Security proposed when we first wrote up the breach, VTech’s description made it sound as though the company stored your password in a way that it could recover it, rather than using industry-standard practice (known as salt-hash-stretch) that merely allows passwords to be verified.
The company’s wording made it sound like it could retrieve a password and send it to “you” – or whoever’s using your personal details to appear as if they are you – rather than the more secure method of making passwords so scrambled that the company couldn’t get at them and would instead just reset whatever passwords customers lost.
Unfortunately, compounding this hypothetical scenario (we don’t know enough yet to confirm the premise about password storage) is the fact that there is much more data at stake than seems strictly necessary for the toymaker to do what it needs to do.
There are unintended consequences to storing data.
If what the hacker says is true, why was VTech storing chat logs going back a year, with the oldest chat logs dating back to the end of 2014?
Was the idea to potentially sift through these logs in future for development of some type of feature? Or for marketing purposes?
Was any thought at all given to collecting it, or was it collected and kept simply because it could be collected and stored?
And why in the world would the company store audio files, some featuring kids’ voices?
Such a data point might seem innocuous, but as we’ve noted when analyzing just how anonymous so-called anonymous data really is, the more data points users give up – and which a company collects – the greater the risk if a data set gets breached.
The intruder told Motherboard that he was able to download more than 190GB worth of photos. He shared 3832 image files with Motherboard, which blacked out faces and published a subset. VTech is yet to confirm that the files were taken from its databases.
Thankfully, the hacker said that he doesn’t intend to sell or publish the data.
That makes this a close call, and hopefully an extremely loud wake-up call, for the toymaker.
*He/she asked for anonymity (he has, after all, committed a crime), so I followed Motherboard’s lead in using the male gender.