UPDATED 16:08 EDT / NOVEMBER 30 2015

NEWS

Bad to worse: VTech hack data includes kids pictures and chat logs

The news for children’s toy maker VTech Holdings Ltd. went from bad to worse Monday with the disclosure that a data breach included photos of children and their chat logs.

Disclosure of the hack of VTech’s Learning Lodge, its app store for its range of electronic children’s products catering to infants through preschoolers, first came to light over the weekend, but the depth of the data obtained wasn’t known … until now.

The hacker behind the data theft spoke to Motherboard and said that the company had left other sensitive data exposed on its servers, including kids’ photos and chat logs between children and parents. The specific data is said to come from VTech’s Kid Connect, a service that allows parents using a smartphone app to chat with their kids using a VTech tablet.

It’s not entirely clear exactly how many pictures were exposed, but the hacker added that he was able to download more than 190GB worth of photos from VTech, putting the estimated figure around at least in the tens of thousands.

The chat messages obtained consisted of exchanges between parents and their children and included messages such as “Roses are red vilets [sic] are blue and I love you. Mommy and daddy,” and “You are my HERO!Daddy!100 percent!”

All of the messages and photos are said to include attached information that would allow the children and their parents to be identified.

Moral hacker?

The only possible solace from the hack is that it would appear, at least on the surface, that the hacker who obtained the data may not be intending to use the information for nefarious activities.

“Frankly, it makes me sick that I was able to get all this stuff,” the hacker told Motherboard. “VTech should have the book thrown at them.

“I can get a random Kid Connect account, look through the dump, link them to their circle of friends, and the parent who registered at Learning Lodge [VTech’s app store] … I have the personal information of the parent and the profile pictures, emails, [Kid Connect] passwords, nicknames … of everyone in their Kid Connect contacts list.”

VTech, for its part, has taken down a range of sites and online services “as a precautionary measure” until such time as it can fix its security issues, which as noted previously appear to have included a failure to use SSL, a six-year-old version of the .NET framework and an easily accessible database.

Image credit: greggoconnell/Flickr/CC by 2.0

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU