Toy Maker VTech Suffers Security Breach: What You Need to Know
Kid-friendly gadget maker says unauthorized person got into its database.
— -- VTech, the maker of high-tech educational toys for children, has announced it suffered a security breach to its database, potentially putting the information of millions of customers at risk.
The Hong Kong-based company said in a statement that its Learning Lodge store, a portal where customers can download educational content to their child-friendly VTech devices, which include tablets and watches, had been accessed by an unauthorized party on Nov. 14.
VTech makes kid-friendly gadgets, including the InnoTV, which is a gaming system, tablets under the InnoTab brand, and a smartwatch and action camera under its Kidizoom line.
Customers were first told about the breach on Nov. 27, but questions remain. Here's the latest:
Who's at Risk
Anyone who has used VTech's Learning Lodge store to download content onto their child's VTech gadget should consider their information as compromised.
VTech said its customer database includes people in the following countries: USA, Canada, United Kingdom, Republic of Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, Australia and New Zealand.
The company said 4,854,209 parent accounts and 6,368,509 related kid profiles were impacted.
What Was Compromised
VTech's customer database includes "general user profile information," according to the company. That includes a customer's name, email address, password, their secret question and answer for retrieving a lost password, IP address, mailing address and download history. In addition, VTech says its “database also stores kids’ information including name, genders and birthdates.”
The company said credit card data was not impacted since payments are sent to a secure, third-party payment gateway,
A hacker who claimed to be responsible for the data breach and who asked to remain anonymous told Vice's Motherboard about the hack last week, including the above information.
Perhaps even more troubling is the other sensitive information the hacker alleged was exposed on the servers, including photos of children and chat transcripts they've had with their parents, according to Motherboard, which obtained copies of some of the data to verify the hacker's claims.
In its updated FAQ section today, VTech said due to its ongoing investigation, it would not confirm the Motherboard report at this stage, however the company noted images sent on the devices between children and their parents are encrypted.
When and How VTech Found Out
A statement from VTech said the company first heard about the breach when they were emailed by a journalist asking for comment on Nov. 23.
"After receiving the email, we carried out an internal investigation and detected some irregular activity on our Learning Lodge website on November 14," the statement said. "We immediately conducted a comprehensive check of the affected site and have taken thorough actions against future attacks."
Customers were notified "as swiftly as possible" on Nov. 27, the company said.
What VTech Is Doing About the Breach
While the company said it has taken actions to make sure this won't happen again, it was unclear what specifically was being done.
"We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future," VTech's statement said.
The company has also set up dedicated email addresses by country for customers who may have questions or concerns.
How to Stay Safe With Connected Toys
A breach such as this one shouldn't steer parents away from buying connected toys this holiday season, said Robert Siciliano, an online safety expert to Intel security. Siciliano recommends parents do their research before buying a toy -- even if it's a simple Google search with the toy name and the words "vulnerability" or "hacked" to see if there have been any reported issues.
After buying a connected toy -- or any other device with a Wi-Fi connection -- a scan should immediately be done on the new item as soon as it is plugged into a computer to ensure it didn't come from the factory with any potential malware, Siciliano told ABC News.
He also recommends installing all software updates in a timely manner and ensuring the device is connected to a secure Wi-Fi network to help keep it safe from hackers.