Shocking VTech Hack Gives Attacker Access to Thousands of Photos of Children

Shocking VTech Hack Gives Attacker Access to Thousands of Photos of Children

You may have seen an article several days ago detailing a hack into the servers of the children's toy company VTech. The hack gave attackers access to personal data for over 5 million parents and over 200,000 children. Motherboard has just posted an update to their story revealing that the hacker was also able to download over 190 GB of photos uploaded from thousands of children's camera-equipped tablets.

If you aren't familiar with VTech, they are a multi-billion dollar company that sells primarily electronic learning toys for children as well as baby monitors. They have been experiencing success in recent years with lines of products that are child versions of grownup devices, such as action cams, tablets, and smartwatches.

Source: VTech

Many of these devices offer connectivity to the company's "Premium VTech Kid Connect" service, described by VTech a technology that allows sharing of photos and messages between kids and parents.

Kids can wirelessly send and receive text and voice messages, photos and drawings with iPhone and Android smartphones ... parents can update VTech Kid Connect so children can chat and share posts with family members using the new Family Bulletin and Family Group Chat.

Source: VTech

The hacker spoke to Motherboard and explained how all of the data was linked together

'I can get a random Kid Connect account, look through the dump, link them to their circle of friends, and the parent who registered at Learning Lodge [VTech’s app store],' the hacker told Motherboard. 'I have the personal information of the parent and the profile pictures, emails, [Kid Connect] passwords, nicknames ... of everyone in their Kid Connect contacts list.'

The attacker shared several thousand images with Motherboard as proof of the attack, but has no plans to publish or sell the data

'Frankly, it makes me sick that I was able to get all this stuff,' the hacker told me in an encrypted chat. 'VTech should have the book thrown at them.'

This whole business emphasizes the idea that nothing is truly secure; for every new form of encryption, there's a hacker out there who wants to find a new way to overcome it. By actively encouraging parents to trade messages and photos with their children, VTech was asking them put their faith in the security of their servers, a faith that was clearly misplaced.

[via Motherboard, header image via Nana B Agyei]

Andrew Strother's picture

Andrew is a professional photographer based in Houston, Texas. Texas is better than all other states including Canada.

Log in or register to post comments
7 Comments

If it was an SQL injection, as described in the linked article, it does not "emphasize nothing is truly secure", but instead that basic web design and security principles were disregarded by a company ... or would you run a website that lets anonymous people do random database queries and edits?

Actually, the fact that a company with personal data for over 5 million users disregarded basic design and security principles is exactly why I think that nothing is truly secure. People shouldn't just blindly trust internet-based services simply because they had to create a password when they signed up for something.

Not to mention that, more often than not, it's a good bit of social engineering that give attackers preliminary access to higher security systems, and humans will always be a security weakness.

Perhaps I'm paranoid but I don't even use the iCloud. I don't trust those folks to hold any of my stuff securely quite frankly.

Then again if someone wants to steal lame pictures my wife might have been sending to my kid via a toy I wouldn't get too upset about it. It's not like they got my SSN or something.

This might be worth reading at Motherboard about SQL injections if anyone is curious:

http://motherboard.vice.com/read/the-history-of-sql-injection-the-hack-t...

In the UK they could be heavily fined under the Data Protection Act for not securing data, and Europe has similar rules. This could get messy for VTech.

Good link man, thanks!

Here's another link.
http://imgs.xkcd.com/comics/exploits_of_a_mom.png
SQLi is indeed as old as database usage on the Internet. Sigh.