Toy maker VTech says breach hit 6.4 million kids' accounts

Most affected accounts were in the U.S.

Educational toy maker VTech has said 11.6 million accounts were compromised in a cyberattack last month, including those of 6.4 million children.

The total number of accounts affected is nearly double that reported last week by the security news site Motherboard, which interviewed a hacker who claimed credit for the breach.

Most of the account holders were in the U.S., including 2.2 million parents and 2.8 million children, VTech said Wednesday in Hong Kong, where the company is based. France, the U.K., Germany and Canada round out the top five countries hit, VTech said in an updated FAQ.

Data breaches have been become a top worry as cybercriminals and hackers probe online systems for weaknesses, resulting in massive breaches of payment card systems, health care data and U.S. government personnel records.

VTech's breach stands out because it affected millions of children. The profile data leaked included their names, genders and birth dates.

Reuters reported that the attorney generals of Illinois and Connecticut planned to investigate the breach, which occurred Nov. 14. And Hong Kong's privacy commissioner for personal data said he would check whether VTech was following data privacy principles.

VTech's toys include color touchscreen tablets for kids similar to Apple's iPad. The InnoTab 3 has a camera, and can record video and audio and download apps.

Motherboard also reported that photos of children and parents had been exposed, as well as chat logs. VTech said it couldn't confirm that images were leaked, but Motherboard published partially obscured images that it said it obtained from the hacker.

VTech said images on its servers are encrypted using the 128-bit Advanced Encryption Standard algorithm.

Chat logs from a VTech messaging service called Kid Connect are also believed to have been exposed, as well as some audio files. VTech said the chat logs were not encrypted, but that the audio files were encrypted using AES 128.

AES is considered a secure cryptographic algorithm and is widely used by the U.S. government. It's unclear how Motherboard or the hacker would have been able to decrypt the images, since brute-force attacks are nearly impossible.

The security of the encrypted files and images, however, depends on how well VTech protected the private decryption keys, and the release of images raises the question of whether the hacker obtained those as well.

The breach affected the customer database for Learning Lodge, an app store for VTech's devices, as well as the Kid Connect servers. VTech has suspended both services and 13 websites.

The company plans to hired a security consultancy firm to conduct a forensic investigation and "help us to design a new more secure approach to our data security," it said.

Of the 11.6 million accounts affected, 4.8 million belong to parents. The parent data included names, email addresses, weakly hashed passwords, secret questions for password retrieval, IP addresses, mailing addresses and download history. No payment information was compromised.

The leaked data doesn't appear to have been used for criminal purposes yet, VTech said. Since the breach was of its servers, VTech said there doesn't appear to be a risk of children being tracked while using its devices.

Join the CSO newsletter!

Error: Please check your email address.

More about AdvancedAdvanced Encryption StandardAppleVTech

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place