14 DAY TRIAL // VTech, a Chinese company that builds and sells electronic learning toys, was breached by a mysterious hacker that shared the data with Vice's Motherboard.
According to Vice reporter Lorenzo Franceschi-Bicchierai and Troy Hunt, owner of the Have I Been Pwned? service, the data they analyzed contained extremely personal details of over 4.8 million parents and over 200,000 children.
The company has acknowledged the incident and said that no credit card information leaked in the incident. Unfortunately, many more other details were. These include: ● Parent names ● Parent emails ● Parent passwords ● Parent secret question and answers ● Parent password hints ● Parent login information ● Parent registration URL ● Parent IP information ● Parent addresses ● Parent VTech account details ● Child names ● Child avatar images ● Child gender ● Child passwords ● Child registration URL ● Child VTech account details ● Child-parent relations
The dumped data seems to contain information about VTech customers residing mainly in the UK, Spain, Germany, and France.
Following his analysis, Mr. Hunt says that the data appears to have come from a database dump, following an SQL injection attack, which the Vice reporter's sources has confirmed.
Worrisome is the fact that the data revealed many sensitive details. This includes the (family) relation between parent and kid accounts, the registration URLs, and data that allows any investigator to identify children based on the devices they used and the website they frequented.
Outdated technology and a lack of security best practices made the incident possible
In his analysis, Mr. Hunt also discovered that VTech was using an extremely outdated platform, relying on ASP.NET 2.0, WCF, SOAP, and lots of Flash. SSL was nowhere to be found on any of VTech's sites, and in one instance, analyzing one of VTech's portals, Mr. Hunt also discovered SQL queries dumped with other debug data.
"Why they’re returning a SQL statement is absolutely beyond me," Mr. Hunt noted. "On seeing the haphazard way that internal database objects and queries are returned to the user, I’ve no doubt in my mind that SQL injection flaws would be rampant [in VTech's system]."
The VTech data was added to the Have I Been Pwned? service, where it ranks as the fourth biggest data breach in the site's history, right after Adobe (152 million accounts), Ashley Madison (30 million accounts), and 000webhost.com (13.5 million accounts).
