iTnews
  • Home
  • News
  • Technology
  • Security

VTech flaw exposes millions of accounts

By Juha Saarinen on Nov 30, 2015 6:18AM
VTech flaw exposes millions of accounts

Accounts tied to thousands of children.

Educational toy maker VTech has leaked the personal information of millions of parents and hundreds of thousands of their children through what a security expert says is lack of basic precautions on the company's website. 

Names, physical and email addresses, and passwords of over 4.8 million parents along with the first names, birthdays and genders of over 200,000 children were exposed in the large data breach. 

The data breach was first reported by Vice's Motherboard publication over the weekend, with the help of Microsoft most valued professional (MVP) Troy Hunt, who analysed the cache of information. 

VTech has acknowledged the breach but said it wasn't aware of the issue until notified by Motherboard. 

The company insisted the leaked database "does not contain any personal identification data" referring to identity cards, social security numbers, driver's licence details, or credit card information. VTech is active in Australia, and has an office in Melbourne. 

The unnamed hacker who contacted Motherboard said he did not disclose the information to other parties. 

Hunt verified the data in the leak by contacting some of the people whose information had been exposed. He was able link the information for the children to parents, and said "I start to run out of superlatives to even describe how bad that is". 

Although VTech asked for plenty of information from parents about themselves and their children, the company did not follow any best practices when it comes to security for the websites that collected the information. 

The actual hack was most likely done through supplying structured query language commands to the website database, since it was left exposed to the internet, allowing anyone to interact with the information store without authentication, Hunt noted. 

He further reviewed the VTech site security and found that it did not use Secure Sockets Layer/Transport Layer Security (SSL/TLS) to encrypt and protect user data sessions.  

VTech also appears not to have updated the software on its site, which was reportedly a version of the Active Server Pages .NET framework that was superseded six years' ago, Hunt said. 

Hunt has made the details of the over 4.8 million parents searchable in his free Have I been Pwned? site, which keeps track of large data breaches and allows users to discover if their details have been leaked. 

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
data breachsecuritysqlitroy huntvtech

Partner Content

Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Promoted Content Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Digital signatures propel Australian Unity with rapid time to value
Digital signatures propel Australian Unity with rapid time to value
The Great Resignation has intensified insider security threats
Promoted Content The Great Resignation has intensified insider security threats
Why rethinking your CMS is crucial for customer retention
Promoted Content Why rethinking your CMS is crucial for customer retention

Sponsored Whitepapers

Free eBook: Digital Transformation 101 – for banks
Free eBook: Digital Transformation 101 – for banks
Why financial services need to tackle their Middle Office
Why financial services need to tackle their Middle Office
Learn: The latest way to transfer files between customers
Learn: The latest way to transfer files between customers
Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see

Events

  • Forrester Technology & Innovation Asia Pacific 2022
By Juha Saarinen
Nov 30 2015
6:18AM
0 Comments

Related Articles

  • Qld gov proposes mandatory data breach reporting for agencies
  • Law firm mulls class action over NDIS software provider data breach
  • NDIS case management system provider breached
  • 50k customers caught up in Spirit Super phishing attack
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Services Australia sets changeover date for myGov

Services Australia sets changeover date for myGov
Google Cloud IoT Core goes on the end-of-life list

Google Cloud IoT Core goes on the end-of-life list
NBN Co proposes to axe CVC across all plans by mid-2026

NBN Co proposes to axe CVC across all plans by mid-2026
NSW Police dumps Bezos-backed Mark43 from core systems overhaul

NSW Police dumps Bezos-backed Mark43 from core systems overhaul

Digital Nation

Save the Date — Digital Nation Live launches on October 25
Save the Date — Digital Nation Live launches on October 25
Stakes are higher for cybersecurity in Web3: Gal Tal-Hochberg, CTO at Team8
Stakes are higher for cybersecurity in Web3: Gal Tal-Hochberg, CTO at Team8
Edge and IoT critical to Web3 infrastructure
Edge and IoT critical to Web3 infrastructure
Crypto losses to crime surge to $1.9 B in first half of 2022: Chainalysis
Crypto losses to crime surge to $1.9 B in first half of 2022: Chainalysis
CommBank’s mobile banking app beats ANZ, NAB, Suncorp and Westpac: Forrester
CommBank’s mobile banking app beats ANZ, NAB, Suncorp and Westpac: Forrester
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.