VTech data breach gets worse: Children’s pictures and chat logs were also compromised
The hacker who breached VTech’s customer database and shared with the world the fact that the exploit was so easy anyone could do it (SQL injection), has found additional critical user data stored on the company’s servers: tens of thousands pictures of children and parents, their chat logs and even some audio recordings made by children.
This particular set of data has been collected by the toy maker via the company’s Kid Connect service, which allows parents and children to chat using a smartphone app and a VTech tablet.
According to Motherboard, the hacker managed to download over 190GB worth of photos, and expressed his outrage at the fact that VTech stored this information in such an insecure manner.
“I can get a random Kid Connect account, look through the dump, link them to their circle of friends, and the parent who registered at Learning Lodge [VTech’s app store],” the hacker explained. “I have the personal information of the parent and the profile pictures, emails, [Kid Connect] passwords, nicknames…of everyone in their Kid Connect contacts list.”
Another great question is why the company stores this type of information at all.
VTech has not commented on this new revelation, but has released an update about the data breach. It contains no mention about user photos or chat logs, only a reiteration of the original statement saying that the customer database did not contain any personal identification data nor any credit card information.
The company also announced that they have suspended Learning Lodge for the time being, as well as a dozen or so of its websites, “for thorough security assessment and fortification.”
Troy Hunt, the researcher who verified the data forked over by the hacker, has previously expressed his doubt about VTech’s ability to keep user data safe.
“What really disappoints me is the total lack of care shown by VTech in securing this data. It’s taken me not much more than a cursory review of publicly observable behaviours to identify serious shortcomings that not only appear as though they could be easily exploited, [but] evidently have been,” he noted.
“This breach is another sad example of a company ignoring some very basic application security best practices. Why are websites still vulnerable to SQL injection today? The industry has known about this for decades, is one of the OWASP Top 10 most dangerous vulnerabilities and they are not difficult to find or fix,” commented Chris Eng, VP of Security Research at Veracode.
“Like we see with IoT manufacturers, consumer technology companies just aren’t viewing security as of primary importance to their core business and are paying the price for it. Toy manufacturers don’t have the rigor around secure development that’s needed in today’s environment and are inevitably going to fall short on security.”
The hacker who breached VTech and exfiltrated the data has said he won’t be publishing or selling it – he apparently only wanted to shine the spotlight on the poor security employed by VTech.
The problem is, if they don’t fix the issue soon and well, other attackers might end up with the same data (if they haven’t already).