Abysmal security practices by toy maker VTech result in massive data breach

Hong Kong-based electronic toy maker VTech has suffered a massive breach. The target was the Learning Lodge app store, from which registered users can download games, music, and e-books to use on the company’s toy tablets and laptops.

According to Troy Hunt, who operates the Have I Been Pwned? service, the app store’s database has been plundered via a simple SQL injection attack, and account information of some 4.8 million customers has been compromised.

This includes the customers’ email address, name, (encrypted) password, password hints and secret questions, IP address, location, and real-world address. Hunt also discovered that the passwords are not exactly encrypted – just hashed with an hashing algorithm (MD5) which makes it easy to crack them, and no salt whatsoever was used. The secret questions and answers are in plain text.

But what’s even more worrying is that the stolen database also contains account information from accounts that parents set up for their children. These accounts contain the name, date of birth and gender of the children, and are directly tied to the parents’ account. All in all, information contained in some 227,000 accounts tied to children has been compromised.

The hacker who breached the company’s database has first shared the information with Motherboard journalist Lorenzo Franceschi-Bicchierai, who called in Hunt to confirm whether the data is genuine.

Once they established that, he contacted VTech, who apparently knew nothing of the hack. The company finally announced the breach publicly on Friday, but failed to mention the extent of the breach and downplayed its severity.

The plundered database contains customer data from the US, Canada, UK, Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, Australia and New Zealand.

The breach happened on November 14, they said, and claimed that they have “conducted a comprehensive check of the affected site and have taken thorough actions against future attacks.”

But Hunt is doubtful about these assurances, as the company has so far failed to implement basic protections such as encrypting communications (no SSL on the website), using a poor hashing algorithm for passwords and no encryption for the rest of the data.

“What really disappoints me is the total lack of care shown by VTech in securing this data. It’s taken me not much more than a cursory review of publicly observable behaviours to identify serious shortcomings that not only appear as though they could be easily exploited, evidently have been,” he noted.

“Lorenzo was told by the person that provided him with the data that the initial point of compromise was due to a SQL injection attack and even without seeing the behaviour above, I would have agreed that was the most likely attack vector. On seeing the haphazard way that internal database objects and queries are returned to the user, I’ve no doubt in my mind that SQL injection flaws would be rampant.”