One of the largest data hacks of all time occurred earlier this month. In a report, Motherboard writer Lorenzo Franceschi-Bicchierai reveals the personal information of nearly 5 million parents and over 200,000 children were exposed earlier this month. The data theft occurred after a hacker breached the servers of a toy company.
Online publication Motherboard has revealed a hacking incident of mammoth proportions with the breach of VTech, a Chinese company with nearly $2 billion in revenue. A hacker who gained the means to breach the company’s servers has reportedly stolen the personal information of nearly 5 million parents and over 200,000 children. VTech sells toys such as tablets, toys and gadgets for kids all over the world.
The hacked data includes:
- Email addresses
- Passwords, and
- Home address
The above details of nearly 5 million parents who purchased products sold by VTech are a part of the breach. The data hack also includes the first names, genders and birthdays of over 200,000 children. An expert who reviewed the breach for the publication added that it is entirely possible to cross-reference the children’s record to that of the parents which would essentially reveal the kids’ complete identities, as well as their locations.
The publication communicated with the hacker who claimed responsibility for the breach and even sent in some of the breached data to Motherboard to prove the claim. The publication then reached out to VTech, who weren’t aware of the breach and confirmed it.
In an email to Motherboard, a VTech spokesperson said:
On November 14, an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database. We were not aware of this unauthorized access until you alerted us.
VTech has since revealed some details of the breach publicly while notably holding back on the severity of the comprehensive breach. The press release fails to mention any real details of the breach, nor does it reveal the failings of the weak security measures used by the company.
Lorenzo reached out to security expert Troy Hunt who operates the helpful and free look-up website Have I been pwned (HIBP). Hunt discovered nearly 5 million unique email address and passwords stored in hash, otherwise known as MD5, a weak standard of security. Significantly, account recovery questions were stored in plaintext, an easy means for a malicious attacker to steal victims’ identities. According to HIBP — a website where you can check if your email has ever been a part of most known breaches — the incident is the fourth largest known data breach, ever.
Hunt’s own comprehensive account of the incident can be found here.
As it turns out, the hacker – who asked to remain anonymous – seems to be a white-hat by not selling the information for profit online. The hacker noted he had root access, or complete access to VTech’s servers. He added:
It was pretty easy to dump (steal), so someone with darker motives could easily get it.
Featured image from Shutterstock.