The personal data of over 200,000 children was exposed after VTech, which sells electronic learning products, had its app store database, Learning Lodge, hacked.
The hackers gained access to sensitive information such as email addresses, passwords, and home addresses of 4,833,678 consumers who have bought products sold by VTech. In addition, information on the birthdays, first names, and genders of over 200,000 children was exposed.
VTech said that the hacked database stored information on customers from the US, UK, Ireland, Canada, France, Spain, Germany, Belgium, Denmark, the Netherlands, Luxembourg, Australia, New Zealand, Hong King, China, and Latin America.
In an email to customers, the company said: “Upon discovering the unauthorised access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against further attacks.”
The company said it was “important to note that our customer database does not contain any credit card or banking information” nor social security numbers.”
Security expert, Troy Hunt, said he was extremely concerned by the breach.
“When it’s hundreds of thousands of children including their names, genders and birthdates, that’s off the charts,” he wrote.
“When it includes their parents as well – along with their home address – and you can link the two and emphatically say ‘Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question)’, I start to run out of superlatives to even describe how bad that is.”
Troy Hunt analyzed the data and found that VTech doesn’t even use SSL web encryption and data such as passwords are completely unprotected.
“Taking security seriously is something you need to do before a data breach, not something you say afterwards to placate people,” he added.
According to Motherboard, the hacker, who requested anonymity, said that they were able to access VTech’s database using a technique known as SQL injection. “It was pretty easy to dump, so someone with darker motives could easily get it,” the hacker said in an encrypted chat.