Skip to main content

VTech data breach leaves children and parents exposed

Lorenzo Franceschi-Bicchierai of Motherboard revealed a data breach, believed to be the fourth biggest ever, at Hong-Kong based company VTech, a producer of childrens educational computers and accessories.

The hacked data, which included names, email addresses, passwords, and home addresses of 4,833,678 parents who have bought products sold by VTech. However VTech was quick to point out that no financial records or credit card details were compromised as all online purchases are redirected to another payment gateway.

However, the compromised data dump did include the customers’ passwords, which were only encrypted using MD5, which is easily broken. What's more, the customers’ security questions and more importantly the customers chosen answers were stored in clear text. More alarmingly, the data dump also contained the first names, genders and birthdays of more than 200,000 children which could also be linked to their parents accounts and therefore their home addresses.

The data breach was believed to have been as a result of an SQL injection attack where a hacker can enter SQL commands into fields in a form, such as a registration form. However if the program does not validate the entry is the correct format then the hacker can enter any SQL query and effectively dump all the data from the database to the screen or to a file.

Unfortunately, VTech's security lapses went deeper than just not verifying correct entries into fields in a form, they also had no encryption whatsoever. This meant that customers logged on and entered their passwords in HTTP (clear text) and not in HTTPS (SSL/TLS encrypted, the green key in your browser). This would make customers details visible to anyone eavesdropping on a WiFi network.

VTech apparently did not support any encryption such as HTTPS and that is no longer acceptable on any website let alone a commercial site that stores personal information.

Image source: Shutterstock/wk1003mike