A New and Terrifying Breach

 

Last week, a new and terrifying breach was discovered. Not with a bank, or a government agency or even a credit card company. It was a toy company.

We’re all used to breaches now, unfortunately. As with violent crime and government scandals, we are arguably becoming less and less sensitive to such things, and even the disturbing information revealed by Edward Snowden, so alarming at the time, has all but disappeared from the public awareness.

So when it was discovered last week that toy manufacturer VTech (based in Hong Kong) had been hacked, the one of the very first responses they had was that no credit card data had been compromised.

Well, that’s good. I mean, I wouldn’t want my credit card number exposed. I don’t really care, to be honest – as the credit card companies have proven to be insanely good at defusing fraud attempts, often before I’m even aware of it – at least from my own personal experience.

Troy Hunt, creator of haveibeenpwned.com, posted a great article on his site (subsequently reposted on Ars Technica), describing everything from how he was clued into this possible breach and his analysis of the problem. The first part of the discovery revealed the following fields that are not uncommon in security breaches:

id
email
encrypted_password
first_name
last_name
password_hint
secret_question
secret_answer
active
first_login
last_login
login_count
client_ip
client_location
registration_url
country
address
city
state
zip
updated_datetime

Troy found that ALL these fields were stored completely unencrypted. Even the “encrypted_password” field. So…there’s that. Also, considering that many people tend to use the same password hint (and password), secret question & answer, that’s a lot of useful info for a thief.

I’ll give you two guesses on whether or not VTech used SSL to transmit any of the data that flows between their devices, mobile phone apps, and web sites. You’re really only going to need one though.

Troy goes on to find that not only is parent data exposed, parents are encouraged/forced to create profiles for their children. These profiles include name, gender, birthdate….good grief! Also of note is that part of the setup process includes taking your own picture as well as photos of your kid’s face so that you can make a cute avatar.

I spoke to Troy to ask him about that last point and he said that the photo headshots were not encrypted (although that would not be unusual to store unencrypted) and Lorenzo Franceschi-Bicchierai (who writes for Motherboard) and who originally contacted Troy with the information about the breach, just posted an article confirming that the photo headshots and chat messages were also exposed. Lorenzo was contacted by an anonymous hacker that was able to breach VTech’s “security”.

he was able to download more than 190GB worth of photos, and considering that there were 2.3 million users registered in the Kid Connect service, it’s likely there were tens of thousands, or more, headshots of parents and kids, according to the hacker.

The hacker goes on to say

Frankly, it makes me sick that I was able to get all this stuff

 

Indeed.

The scary thing is, like other breaches, VTech is not the only toy company that’s likely to be insecure. I’m hoping that other electronic toy companies learn from VTech’s massive failure and do it quickly.