Vtech breach dumps 4.8m families' information, toy security is to blame

Vtech is a ubiquitous Hong Kong-based electronic toy company whose kiddy tablets and other devices are designed to work with its cloud service, which requires parents to set up accounts for their kids. 4.8 million of those accounts just breached, leaking a huge amount of potentially compromising information, from kids' birthdays and home addresses to parents passwords and password hints.

Worst of all, Vtech's own jaw-droppingly poor security is clearly to blame. The company didn't salt their password database, take countermeasures against code-injection attacks, or even use SSL to protect user passwords and other sensitive information in transit.

The company was slow to respond to the first reports of the breach, so that criminals who had the data had a longer window in which to exploit it before Vtech's customers knew to take action, and when Vtech finally did acknowledge the breach, it weaseled and misled its customers about the seriousness of the problem.

Troy Hunt, who operates the indispensable Have I Been Pwned service, has written up a thorough and damning account of Vtech's failings, and what they mean for 4.8 million families whose trust Vtech betrayed.

Now here’s where I need to be intentionally vague because despite their assurances that their system is now secure, they still have gaping holes that allow every kid to be matched with every parent. The details of this have been passed on to VTech and I’ll say this much here: there’s no simple fix. The flaws are fundamental and the recommendation I’ve passed on is to take it offline ASAP until they can fix it properly. You just can’t take chances with other people’s data in this way, especially not when they’re kids.

The average age of kids when their account was created is just 5 years old. They have the sorts of login names you’d expect a parent to give their children; affectionate “pet names” in many cases. The kids are almost precisely split between girls and boys and not only has their data already been leaked in this breach, it remains at serious risk due to the implementation of the site.

When children are breached—inside the massive VTech hack
[Troy Hunt/Ars Technica]