Children’s toy maker VTech Holdings Ltd. has been hacked, with the details of some 5 million users, consisting of parents and children, being stolen.

The company, which sells electronic learning products for children from infancy to preschool, confirmed the hack and said in an email that there was “unauthorized access” to its database on November 14.

“Upon discovering the unauthorized access, we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against further attacks,” the email also noted.

While the company stated that no “personal identification data” or credit card information was exposed, Motherboard claims that the hacked data includes names, email addresses, passwords and home addresses of 4,833,678 parents who have bought products and the details of some 200,000 children.

The stolen data is also said to link the children to their parents, exposing the kids’ full identities and where they live.

Security expert Troy Hunt claims that the actual hack was most likely done through supplying structured query language commands to the website database, since it was left exposed to the Internet, allowing anyone to interact with the information store without authentication.

To make matters worse, it would appear also that VTech was not practicing “safe Internet” in that it was not using Secure Sockets Layer/Transport Layer Security (SSL/TLS) to encrypt and protect user data sessions, nor had it updated the software on its site, which was reportedly a version of the Active Server Pages .NET framework that was superseded six years ago.

Hacking year

The hack of VTech is reported to be the fourth largest hack of all time, coming in behind the hack of Ashley Madison that exposed the information of 30 million people cheating on their spouse and the Target data breach that saw the hacking of 110 million customers’ information.

The year may not have quite concluded yet, but 2015 could be called the year of the hack given how many companies, let alone government departments, have been attacked and successfully breached in the prior 11 months.

On one hand it’s difficult to blame companies given the growing sophistication of bad actors targeting them, but if the reports that VTech was running an old version of .NET and wasn’t using SSL are correct, the company deserves as much blame as the hackers themselves over the data breach. It’s one thing to say that you did everything you could to prevent a hack; it’s an entirely different matter when you leave yourself exposed, as VTech apparently has.

Image credit: nanagyei/Flickr/CC by 2.0