Data breach of toy maker VTech leaked photos of children, parents - fitzgeraldpachise45

The data breach of Hong Kong toy manufacturer VTech appears to have besides enclosed photos of children and parents, adding to what could be one of the most stunning leaks of the year.

VTech, which makes cordless phones and what it terms electronic acquisition devices for kids, apologized along Twitter on Mon. The company said it has suspended the affected service, called Learning Lodge, and is notifying customers.

Frailty's Motherboard tech news site, which first reported the break, same connected Monday the breach also contained thousands of photos of parents and kids and chat logs.

VTech officials couldn't immediately be reached for comment on Tuesday.

The offend affected a database for VTech's Learning Lodge app computer memory, an online service that connects to more of the company's devices. VTech said the database was accessed on Nov. 14.

The compromised information includes 4.8 million customer netmail addresses, names and weakly hashed passwords of adult enrolled users. It as wel includes the gender, firstly name and nascency dates of more than 200,000 children.

The customer data came from users in the U.S., Canada, U.K., Ireland, Jacques Anatole Francois Thibault, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Hong Kong, Republic of China, Australia, New Zealand and Latin America, VTech same in a FAQ.

The data was passed to Motherboard by the hacker, the publication reported. Motherboard was told the data was obtained by a SQL injection vulnerability.

A SQL injection flaw, one of the most common types of problems with websites, can allow a hacker to enter commands into a Web-founded form and get the back-end database to respond.

Much of the VTech data was passed by Motherboard to Iliu Hunt, an Australia-based security expert who studies data breaches and runs a notification service known as Have I Been Pwned.

He verified the leaked data by contacting some people who had recorded for his overhaul, which notifies people if their email addresses turns up in a new information breach.

In a lengthy blog post along Saturday, Hunt's investigation of VTech's Learning Lodge and related to online services inverted risen numerous egregious security issues.

VTech's write u enrollment services do not use SSL/TLS (Secure Sockets Layer/Transport Layer Security), which encrypts data sent between a user's figurer and a table service, Trace wrote. It's considered a high risk to not enable SSL/TLS, particularly when registering accounts with individualised information and passwords.

vtech account registration — This is one of VTech's score registration panels for parents.

VTech same the passwords stored were encrypted. Hunt found VTech stored password hashes, which are cryptographic representations of passwords that have been churned through an algorithm.

But VTech used an algorithm titled MD5, which is considered very weak. Converting those hashes into their original passwords is possible victimisation decoding tools and powerful art processors.

"The vast majority of these passwords would constitute cracked in next to no time," Hunt wrote.

Further analysis by Hunt showed IT is easy to match the documented accounts of parents with their registered children. The flaws, atomic number 2 said, have been reported to VTech.

"The flaws are fundamental, and the testimonial I've passed on is to admit it offline ASAP until they can fix it properly," Hunt wrote. "You scarcely fundament't hazard with other mass's data therein way, especially not when they'rhenium kids."

Chris Eng, vice president of security research at Veracode, said some consumer applied science companies Don't view security arsenic a primary part of their core business, and "they're paying the price for it."

"VTech is a toy troupe," Eng aforesaid. "Toy manufacturers don't have the rigor around secure exploitation that's requisite in today's environment and are inevitably going to fall pint-sized on surety."