Skip to main content

VTech slammed by experts for "unforgivable" security lapse

Security experts have called out Vtech for allegedly not securely storing customer passwords in its database, after hackers accessed more than six million children's account details last month in the toy firm's app store.

A large amount of data from the hack was seen online for a while before it was hidden, according to some experts. It also appeared to include a considerable number of children's names, dates of birth and gender.

Security researchers say Vtech did not take common steps to protect customer passwords in the event of a breach, with one even calling the firm's lapse "unforgivable".

After the 14 November event that compromised users' passwords, Vtech emailed affected customers on Monday, defending that their passwords had been encrypted, but may have been decrypted by hackers.

A user's chosen password must never be stored a readable format and a website must use a mathematical algorithm that scrambles or hashes the password into a string of code.

In the case of Vtech, Trend Micro's Rik Ferguson said the firm hashed its customers' passwords, but had not properly scrambled customer passwords in its database and had also stored customers' security questions and answers in plain text. Adding complexity to the hashing process is to use "salt," a randomly generated text that can be added to each user's password before it is scrambled - one which Vtech did not use.

Vtech had also used a vulnerable algorithm to hash its customers' passwords, Ferguson said. "They made a poor choice. The MD5 algorithm has been known to be flawed for a decade."

"It is unforgivable, for a technology company making products for children. They had an enormous duty of care and they failed."

Ferguson advised affected users to change passwords and security questions if they used the compromised data on another website and never to use the same details across websites.