UPDATED 16:08 EST / NOVEMBER 30 2015


Bad to worse: VTech hack data includes kids pictures and chat logs

The news for children’s toy maker VTech Holdings Ltd. went from bad to worse Monday with the disclosure that a data breach included photos of children and their chat logs.

Disclosure of the hack of VTech’s Learning Lodge, its app store for its range of electronic children’s products catering to infants through preschoolers, first came to light over the weekend, but the depth of the data obtained wasn’t known … until now.

The hacker behind the data theft spoke to Motherboard and said that the company had left other sensitive data exposed on its servers, including kids’ photos and chat logs between children and parents. The specific data is said to come from VTech’s Kid Connect, a service that allows parents using a smartphone app to chat with their kids using a VTech tablet.

It’s not entirely clear exactly how many pictures were exposed, but the hacker added that he was able to download more than 190GB worth of photos from VTech, putting the estimated figure around at least in the tens of thousands.

The chat messages obtained consisted of exchanges between parents and their children and included messages such as “Roses are red vilets [sic] are blue and I love you. Mommy and daddy,” and “You are my HERO!Daddy!100 percent!”

All of the messages and photos are said to include attached information that would allow the children and their parents to be identified.

Moral hacker?

The only possible solace from the hack is that it would appear, at least on the surface, that the hacker who obtained the data may not be intending to use the information for nefarious activities.

“Frankly, it makes me sick that I was able to get all this stuff,” the hacker told Motherboard. “VTech should have the book thrown at them.

“I can get a random Kid Connect account, look through the dump, link them to their circle of friends, and the parent who registered at Learning Lodge [VTech’s app store] … I have the personal information of the parent and the profile pictures, emails, [Kid Connect] passwords, nicknames … of everyone in their Kid Connect contacts list.”

VTech, for its part, has taken down a range of sites and online services “as a precautionary measure” until such time as it can fix its security issues, which as noted previously appear to have included a failure to use SSL, a six-year-old version of the .NET framework and an easily accessible database.

Image credit: greggoconnell/Flickr/CC by 2.0

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.