Hong Kong-based toymaker VTech disclosed that the sensitive information of nearly 5 million adults and more than 200,000 children was compromised during the breach of a portal used to download games to tablets, Reuters reported yesterday (Dec. 1).
Security experts warned that similar companies that handle customer data may also be targeted. According to Reuters, these experts expect to see an increase in the number of cyberattacks aimed at stealing information collected through digital toys and other Web-connected devices.
“You have all these devices and services that are connecting to the Internet by companies that don’t have the experience that older software companies do in securing their data,” Katie Moussouris, CPO of HackerOne, told Reuters.
According to Vice’s Motherboard, the VTech breach also compromised thousands of pictures of parents and children taking on the company’s gadgets and toys, as well as a year’s worth of online chat logs.
The exposed data is primarily from VTech’s Kid Connect service, which allows children to use their VTech tablets to chat with their parents via a smartphone app.
The well-known online repository for data breaches, Have I Been Pwned, lists the VTech attack as the fourth largest consumer data breach on record.
“VTech is a toymaker and I don’t expect them to be security superstars. They are amateurs in the field of security,” Tod Beardsley, security research manager at Rapid7, told Reuters.
VTech confirmed that the breached database contained customers’ names, email addresses, encrypted passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses and download history. It also gave hackers access to children’s names, genders and birth dates.
The company said credit card information, ID card numbers, Social Security numbers and drivers license numbers were not accessed by the hackers.