Educational toy maker VTech has leaked the personal information of millions of parents and hundreds of thousands of their children through what a security expert says is lack of basic precautions on the company's website.
Names, physical and email addresses, and passwords of over 4.8 million parents along with the first names, birthdays and genders of over 200,000 children were exposed in the large data breach.
The data breach was first reported by Vice's Motherboard publication over the weekend, with the help of Microsoft most valued professional (MVP) Troy Hunt, who analysed the cache of information.
VTech has acknowledged the breach but said it wasn't aware of the issue until notified by Motherboard.
The company insisted the leaked database "does not contain any personal identification data" referring to identity cards, social security numbers, driver's licence details, or credit card information. VTech is active in Australia, and has an office in Melbourne.
The unnamed hacker who contacted Motherboard said he did not disclose the information to other parties.
Hunt verified the data in the leak by contacting some of the people whose information had been exposed. He was able link the information for the children to parents, and said "I start to run out of superlatives to even describe how bad that is".
Although VTech asked for plenty of information from parents about themselves and their children, the company did not follow any best practices when it comes to security for the websites that collected the information.
The actual hack was most likely done through supplying structured query language commands to the website database, since it was left exposed to the internet, allowing anyone to interact with the information store without authentication, Hunt noted.
He further reviewed the VTech site security and found that it did not use Secure Sockets Layer/Transport Layer Security (SSL/TLS) to encrypt and protect user data sessions.
VTech also appears not to have updated the software on its site, which was reportedly a version of the Active Server Pages .NET framework that was superseded six years' ago, Hunt said.
Hunt has made the details of the over 4.8 million parents searchable in his free Have I been Pwned? site, which keeps track of large data breaches and allows users to discover if their details have been leaked.
