The news for children’s toy maker VTech Holdings Ltd. went from bad to worse Monday with the disclosure that a data breach included photos of children and their chat logs.

Disclosure of the hack of VTech’s Learning Lodge, its app store for its range of electronic children’s products catering to infants through preschoolers, first came to light over the weekend, but the depth of the data obtained wasn’t known … until now.

The hacker behind the data theft spoke to Motherboard and said that the company had left other sensitive data exposed on its servers, including kids’ photos and chat logs between children and parents. The specific data is said to come from VTech’s Kid Connect, a service that allows parents using a smartphone app to chat with their kids using a VTech tablet.

It’s not entirely clear exactly how many pictures were exposed, but the hacker added that he was able to download more than 190GB worth of photos from VTech, putting the estimated figure around at least in the tens of thousands.

The chat messages obtained consisted of exchanges between parents and their children and included messages such as “Roses are red vilets [sic] are blue and I love you. Mommy and daddy,” and “You are my HERO!Daddy!100 percent!”

All of the messages and photos are said to include attached information that would allow the children and their parents to be identified.

Moral hacker?

The only possible solace from the hack is that it would appear, at least on the surface, that the hacker who obtained the data may not be intending to use the information for nefarious activities.

“Frankly, it makes me sick that I was able to get all this stuff,” the hacker told Motherboard. “VTech should have the book thrown at them.

“I can get a random Kid Connect account, look through the dump, link them to their circle of friends, and the parent who registered at Learning Lodge [VTech’s app store] … I have the personal information of the parent and the profile pictures, emails, [Kid Connect] passwords, nicknames … of everyone in their Kid Connect contacts list.”

VTech, for its part, has taken down a range of sites and online services “as a precautionary measure” until such time as it can fix its security issues, which as noted previously appear to have included a failure to use SSL, a six-year-old version of the .NET framework and an easily accessible database.

Image credit: greggoconnell/Flickr/CC by 2.0