VTech hack: It’s getting way worse

1 Dec 2015

The VTech hack that has seen a reported 5m parents have their personal data accessed – and 200,000 kids, too, apparently – has just gotten a whole lot worse after images emerged online.

A few days ago, Motherboard ran a story that claimed VTech, the childrens’ toymaker, had suffered a serious data breach after a hacker got in touch. Reporting that millions of parents and hundreds of thousands of kids were compromised, things were bleak.

VTech subsequently came out and explained some of the story, admitting that “an unauthorised party” had accessed customer data in the company’s Learning Lodge app store database.

Although no financial details were apparently compromised, a bunch of personal information like names, dates of birth, IP addresses, security questions and the likes were. This was troubling.

According to the latest news, though, this is getting more troubling. Writing for Motherboard, Lorenzo Franceschi-Bicchierai now claims that images, selfies of customers, are included in the hack. That’s images of parents, parents and children, and even just children.

“Over the weekend, the hacker, who asked to remain anonymous, told me that VTech left other sensitive data exposed on its servers, including kids’ photos and chat logs between children and parents,” Franceschi-Bicchierai wrote.

“This data is from the company’s Kid Connect, a service that allows parents using a smartphone app to chat with their kids using a VTech tablet. In online tutorials, the company encourages parents and kids to take headshots and use them in their apps.”


An alleged sample of edited headshots of children and parents found on VTech servers, via Motherboard

The article goes on to claim 190Gb of photos were included in the hack. And, to add insult to injury, both chats between parents and kids and even some audio were also a part of it.

VTech has since written another post on the breach, claiming that no personal identification (ID card numbers, social security numbers, drivers licence numbers) are included in the hack.

“We have reached out to every account holder in the database, via email, to alert them of this data breach and the potential exposure of their account data,” the company said.

“As an additional precautionary measure, we have suspended Learning Lodge and the following websites temporarily for thorough security assessment and fortification.”

Children key image via Shutterstock

Gordon Hunt was a journalist with Silicon Republic