Massive VTech Breach Affects 5 Million Customers, Including Children

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

VTech Holdings recently announced that customer data in its Learning Lodge app database was accessed by an unauthorized party on November 14, 2015.

The company didn't learn of the breach until a journalist from Motherboard contacted them on November 23, 2015, asking about the incident.

"Upon discovering the unauthorized access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks," VTech said in a statement published on November 27, 2015.

The affected database contains names, email addresses, encrypted passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses and download history. It also contains children's information, including names, genders and birthdates. No credit card numbers or Social Security numbers were affected.

In an update published this morning, the company added, "In total about 5 million customer accounts and related kids profiles worldwide are affected."

According to security researcher Troy Hunt, 4,833,678 parents and 227,622 children are affected by the breach -- and because it's possible to link children to their parents, children's home addresses can also be determined from the exposed data.

"The average age of kids when their account was created is just 5 years old," Hunt noted in a blog post analyzing the breach. "They have the sorts of login names you'd expect a parent to give their children; affectionate 'pet names' in many cases. The kids are almost precisely split between girls and boys and not only has their data already been leaked in this breach, it remains at serious risk due to the implementation of the site."

Hunt also noted that the password encryption is extremely easy to crack, and all secret questions and answers are in plain text.

Affected customers are located in the U.S., Canada, U.K., Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, Australia and New Zealand.

The company says it has suspended its Learning Lodge and related websites "temporarily for thorough security assessment and fortification."

"The investigation continues as we look at additional measures to strengthen our Learning Lodge database security," VTech stated in a FAQ. "We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future."

The hacker told Motherboard that they used a SQL injection attack to gain root access to VTech's servers. And while the hacker who contacted Motherboard doesn't plan to release or sell the data, they noted, "It was pretty easy to dump, so someone with darker motives could easily get it."

Tripwire security researcher Craig Young told eSecurity Planet by email that not only is SQL injection one of the most prevalent Web security flaws, the process of finding and exploiting it is now easily automated with sophisticated tools. "The most prominent tool, known as SQLmap, makes it trivial for unskilled attackers to gain extensive access into a system with options including database dumping, reading/writing files, and in some circumstances even running OS commands or exploits," he said.

"The solution for SQL injection is incredibly simple, which is why it is astonishing how prevalent it still is after more than a decade of research on the topic," Young added. "Programmers only need to use parametrized queries to thwart SQLi attempts entirely. This technique allows the database engine to know precisely how the input was intended to be used such that there is virtually no risk of it being misinterpreted."

Recent eSecurity Planet articles have provided advice on improving database security, and offered 6 steps for fighting SQL injection attacks.