Children's Pictures, Chat Logs Also Obtained in VTech Hack
Last Friday, VTech, a company that manufactures Internet-enabled tablets and gadgets for kids, announced an unauthorized party had accessed its Learning Lodge app store database.
Since that initial announcement, the severity of the breach has been revealed. Initially, the company admitted the personal information of 6.3 million customers had been accessed, including names, email addresses, encrypted passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses and download histories.
However, the hacker told Motherboard that the company had also left other sensitive data on its servers, including thousands of kids’ pictures and chat logs between parents and children. The hacker claimed to have downloaded more than 190 GB of photos. Even though some were blank or duplicates, there are 2.3 million Kid Connect users, so it’s likely there were tens of thousands of unique headshots.
This data was available trough VTech’s Kid Connect service, which allows parents to use their smartphone to chat with their kids via their VTech Tablet. The company encourages adults and children to take pictures of themselves within the app.
The chat logs, pictures and recordings can easily be traced to usernames, which allows anyone with the hacked data to identify the people in the photographs.
The hacker said it was not his intent to sell or publish the information.
”Frankly, it makes me sick that I was able to get all this stuff,” the hacker told Motherboard’s Lorenzo Franceschi-Bicchierai in an encrypted chat. ”VTech should have the book thrown at them.”
The company said in a November 30 announcement that, as a precautionary measure, it has suspended Learning Lodge and a number of its other websites for security assessment and fortification.
Meanwhile, Rosen Law Firm announced today it is investigating potential claims on behalf of VTech customers. The law firm is claiming the security of VTech’s databases was inadequate. In fact, the company admitted that its “Learning Lodge, Kid Connect and PlanetVTech databases were not as secure as they should have been.”