6.4m kids - Vtech hack in numbers

“Our database was not as secure as it should have been.”

Children’s toy company Vtech announced it was hacked last week – with millions of children’s accounts accessed.

The stolen data includes names and addresses, as well as, reportedly, pictures and chat logs.
Vtech they are still investigating the full extent of the hack.
On Tuesday, the company shared more information about the breach.
It admitted: “Our database was not as secure as it should have been.”
Here’s what we now know:
6,368,509 children’s accounts affected
4,854,209 parental accounts accessed
Countries most affected:
– USA (2,894,091 children)
– France (1,173,497)
– UK (727,155)
In total, 16 “countries” are affected – Vtech lists Latin America as a single country, so the actual number is unclear.
The hack occurred on 14th November 2015. The company discovered the breach, after being contacted by a journalist, 10 days later on the 24th November.
Customers were informed on 27th November, 13 days after the initial breach.
Number of credit card details stolen: 0
Vtech services currently offline: 14
Vice technology site Motherboard reported that chat logs had been accessed too – the company said only undelivered messages were stored on the company servers, and these get deleted after 30 days. The messages were unencrypted.
Contained in the hack data (according to Vtech):

  • “Parent account information including name, email address, secret question and answer for password retrieval, IP address, mailing address, download history and encrypted password.
  • “Kids profiles include name, genders and birthdates.
  • “Encrypted Learning Lodge’s contents including, Kid Connect’s profile photos, undelivered Kid Connect messages, bulletin board postings and Learning Lodge content (ebooks, apps, games etc).
  • “Download sales report logs.
  • “Progress logs to track kids games, for parents’ reference.”

Not included in the hack:

  • Credit card information.
  • Personal identification data (such as ID card numbers, Social Security numbers or driving license numbers).

Customers affected by the breach have been contacted by email, the company said.
Source: http://www.bbc.co.uk/