HackDig : Dig high-quality web security articles for hackers

Children Toy Maker VTech Hacked, Data About Kids and Parents Stolen

2015-11-27 18:40

VTech, a Chinese company that builds and sells electronic learning toys, has been breached by a mysterious hacker that shared the data with Vice's Motherboard.

According to Vice reporter Lorenzo Franceschi-Bicchierai and Troy Hunt, owner of the Have I Been Pwned? service, the data they analyzed contained extremely personal details for over 4.8 million parents, and over 200,000 children.

The company acknowledged the incident and said that no credit card information as leaked in the incident. Unfortunately many more other details were. These include:

●      Parent names

●      Parent emails

●      Parent passwords

●      Parent secret question and answers

●      Parent password hints

●      Parent login information

●      Parent registration URL

●      Parent IP information

●      Parent addresses

●      Parent VTech account details

●      Child names

●      Child avatar images

●      Child gender

●      Child passwords

●      Child registration URL

●      Child VTech account details

●      Child-parent relations

The dumped data seems to contain information about VTech customers residing mainly in the UK, Spain, Germany, and France.

Following his analysis, Mr. Hunt says that the data seems to have come after a database dump, following an SQL injection attack, which the Vice reporter's sources confirmed.

Worrisome is the fact that the data revealed information about many sensitive details. This includes the (family) relation between parent and kid accounts, the registration URLs, and data that allows any investigator to identify kids based on the devices they used, and the website they frequented.

Outdated technology and a lack of security best practices made the incident possible

In his analysis, Mr. Hunt also discovered that VTech was using an extremely outdated platform, relying on ASP.NET 2.0, WCF, SOAP, and lots of Flash. SSL was nowhere to be found on any of VTech's sites, and at one instance, analyzing one of VTech's portals, Mr. Hunt also discovered SQL queries dumped with other debug data.

"Why they’re returning a SQL statement is absolutely beyond me," Mr. Hunt noted. "On seeing the haphazard way that internal database objects and queries are returned to the user, I’ve no doubt in my mind that SQL injection flaws would be rampant [in VTech's system]."

The VTech data was added to the Have I Been Pwned? service, where it ranks as the fourth biggest data breach in the site's history, right after Adobe (152 million accounts), Ashley Madison (30 million accounts), and 000webhost.com (13.5 million accounts).

Data lost in the VTech incident
Data lost in the VTech incident

Source: WZrNWYo1CajVGd21icltWYt1SevRXLuVmckxWaoN2LzdXZu9SbvNmLhlGZlBHdm92cuM3dl52LvoDc0RHa/ca.ssr.dps

Read:3565 | Comments:0 | Tags:Data Leaks

“Children Toy Maker VTech Hacked, Data About Kids and Parents Stolen”0 Comments

Submit A Comment



Blog :

Verification Code:


Tag Cloud