Toymaker VTech confirms cyberattack; appears tone deaf

VTech says its app store for its high-tech toys has been hacked, with reports indicating at least 4.8 million accounts have been breached. Some of that data is reportedly connected to kids.

VTech Holdings, which makes high-tech toys for children, said its Learning Lodge app store database was hacked in what appears to be a cyberattack perfectly timed for the holiday shopping season.

Learning Lodge is an app store for VTech devices that features learning games and other educational tools.

On Friday, the company confirmed the data breach.

Motherboard, which first reported the incident, put the number of breached accounts at 4.8 million. If that figure is accurate, VTech would be among one of the larger breaches based on rankings from the site Have I Been Pwned, but be well behind the Ashley Madison attack, which compromised more than 30 million accounts.

In 2013's holiday shopping season, Target revealed that about 110 million customer records were compromised. That cyberattack is the primary reason that retailers upgraded their point-of-sale systems this year.

VTech didn't disclose the number of accounts that were impacted, but did detail that its app store database was hacked November 14. The company's FAQ indicates that it only found out about the attack on November 23 when a journalist started asking questions. VTech confirmed the breach a day later.

The company said it contacted investigators and installed measures to thwart further attacks. VTech's database included profile information such as names, emails, passwords, IP and mailing addresses as well as other items.

Those passwords are said to have been encrypted using an old and outdated hashing algorithm, MD5, meaning simple passwords can be easily cracked, according to Troy Hunt, a Microsoft MVP for developer security. That could lead hackers to other internet accounts.

The database did not however store credit card information or personal identification data, such as Social Security numbers.

However, Motherboard's report indicated that VTech's database contained first names, genders and birthdays of more than 200,000 kids. That breach could allow parent data to be linked to their children.

Here's the bottom line: VTech's raw figures may not shock and awe, but the reality is that data about children adds a creepy factor to the attack. In addition, VTech's emphasis that credit card data wasn't impacted seems a bit tone deaf considering that kids' data appears to have been compromised. VTech should have addressed whether children data was also breached.

Hunt has a good post about the attack and noted that children data breaches add a new wrinkle to the equation.

Hunt said:

"I've got two little kids and as a father, this really made me think about the footprints I'll make for them online. I personally have a mixed reaction to this event; I'm upset that someone would seek to take this class of data from a system yet on the other hand, the data seems to have been very closely held and I hope it stays that way. But what really disappoints me is the total lack of care shown by VTech in securing this data. It's taken me not much more than a cursory review of publicly observable behaviours to identify serious shortcomings that not only appear as though they could be easily exploited, evidently have been."