A Nov. 14 security breach of electronic toy maker VTech exposed the personal information of around 5 million customer accounts, including details on children, according to NBC News.
The company discovered the breach 10 days later, finding a hacker accessed VTech's Learning Lodge, a site where parents download apps and e-books among other things for their kids' VTech toys, Keith Wagstaff wrote for NBC News. No credit card numbers were stolen, but hackers garnered names, email addresses, passwords, mailing addresses, and the names, genders and birth dates of children.
And Dave Lee wrote for BBC News of the massive breach's most concerning facet: the hacker accessing pictures, chat logs and audio recordings of children.
BBC News noted VTech's Monday statement on the hacks "made no reference to pictures or audio recordings."
However, the anonymous hacker behind the breach told Lorenzo Franceschi-Bicchierai of Motherboard that VTech left thousands of pictures of both kids and parents and a year's worth of chat logs online in a way "easily accessible to hackers."
According to Motherboard, the hacker indicated he downloaded more than 190GB worth of photos and shared 3,832 image files with the publication for verification purposes, though saying he didn't plan to publish or sell the data.
"Frankly, it makes me sick that I was able to get all this stuff," the hacker told Motherboard. "VTech should have the book thrown at them."
Motherboard went on to quote the hacker as saying the breach "was pretty easy to dump" and that "someone with darker motives could easily get it."
Adam Clark Estes noted for Gizmodo that's why the blunder is on VTech. The company failed to put even basic precautions in place to keep customers' data safe, security researcher Troy Hunt said.
"All communications are over unencrypted connections including when passwords, parents' details and sensitive information about kids is transmitted," Gizmodo quoted Hunt as writing. "These days, we're well beyond the point of arguing this is OK it's not. Those passwords will match many of the parent's other accounts, and they deserve to be properly protected in transit."
So is there any good news in this?
The hacker doesn't seem "openly malicious," Brian Barrett wrote for Wired. Also, VTech claims it's now fixed the problem that allowed the breach and continues to look at ways to strengthen its security.
But the hack underscores the potential downfalls of kids immersed in technology in countless ways, according to Wired.
"The hack is troubling, too, if only as a reminder that the more connected devices we put in the hands (and on the wrists, apparently) of our kids, the more we expose them to the very grown-up problems of a world riddled with questionable cybersecurity practices," Wired's report read. "Cloud-connected, kid-focused products increasingly fill toy store aisles, whether from VTech or other vendors."
VTech stated in a press release it has taken down "vulnerable portals" like the Learning Lodge until it can fix them a move Hunt called responsible for the time being, according to Motherboard.
Jim Finkle and Clare Baldwin wrote for Reuters the states Connecticut and Illinois plan to "probe" the breach to see if VTech followed data privacy principles.
Reuter's piece stated more breaches involving information collected by toys might be inevitable because manufacturers lack security expertise.
"You have all these devices and services that are connecting to the Internet by companies that don't have the experience that older software companies do in securing their data," Katie Moussouris, chief policy hacker with HackerOne, told Reuters.
The company discovered the breach 10 days later, finding a hacker accessed VTech's Learning Lodge, a site where parents download apps and e-books among other things for their kids' VTech toys, Keith Wagstaff wrote for NBC News. No credit card numbers were stolen, but hackers garnered names, email addresses, passwords, mailing addresses, and the names, genders and birth dates of children.
And Dave Lee wrote for BBC News of the massive breach's most concerning facet: the hacker accessing pictures, chat logs and audio recordings of children.
BBC News noted VTech's Monday statement on the hacks "made no reference to pictures or audio recordings."
However, the anonymous hacker behind the breach told Lorenzo Franceschi-Bicchierai of Motherboard that VTech left thousands of pictures of both kids and parents and a year's worth of chat logs online in a way "easily accessible to hackers."
According to Motherboard, the hacker indicated he downloaded more than 190GB worth of photos and shared 3,832 image files with the publication for verification purposes, though saying he didn't plan to publish or sell the data.
"Frankly, it makes me sick that I was able to get all this stuff," the hacker told Motherboard. "VTech should have the book thrown at them."
Motherboard went on to quote the hacker as saying the breach "was pretty easy to dump" and that "someone with darker motives could easily get it."
Adam Clark Estes noted for Gizmodo that's why the blunder is on VTech. The company failed to put even basic precautions in place to keep customers' data safe, security researcher Troy Hunt said.
"All communications are over unencrypted connections including when passwords, parents' details and sensitive information about kids is transmitted," Gizmodo quoted Hunt as writing. "These days, we're well beyond the point of arguing this is OK it's not. Those passwords will match many of the parent's other accounts, and they deserve to be properly protected in transit."
So is there any good news in this?
The hacker doesn't seem "openly malicious," Brian Barrett wrote for Wired. Also, VTech claims it's now fixed the problem that allowed the breach and continues to look at ways to strengthen its security.
But the hack underscores the potential downfalls of kids immersed in technology in countless ways, according to Wired.
"The hack is troubling, too, if only as a reminder that the more connected devices we put in the hands (and on the wrists, apparently) of our kids, the more we expose them to the very grown-up problems of a world riddled with questionable cybersecurity practices," Wired's report read. "Cloud-connected, kid-focused products increasingly fill toy store aisles, whether from VTech or other vendors."
VTech stated in a press release it has taken down "vulnerable portals" like the Learning Lodge until it can fix them a move Hunt called responsible for the time being, according to Motherboard.
Jim Finkle and Clare Baldwin wrote for Reuters the states Connecticut and Illinois plan to "probe" the breach to see if VTech followed data privacy principles.
Reuter's piece stated more breaches involving information collected by toys might be inevitable because manufacturers lack security expertise.
"You have all these devices and services that are connecting to the Internet by companies that don't have the experience that older software companies do in securing their data," Katie Moussouris, chief policy hacker with HackerOne, told Reuters.