Massive VTech hack

For anyone with young children, VTech is a familiar name, a logo enblazoned on numerous toys cluttering up the house.

VTech is a Chinese company, and in November, VTech's servers were hacked and the personal data of almost 5 million customers was stolen.

Amongst the data were usernames and password hashes. Passwords were hashed with MD5, making it trivial to retrieve passwords. It also contained secret questions and answers, sufficient for changing the account's password. Worse, the data also contains enough details to be able to determine children's ages, the names of their parents, and their address.

VTech has just provided more details about the breach, and notes that the profiles of 6.3 million children were also stolen. It is not yet confirmed, but children's photos and chat logs may also have been stolen.

Apparently, this is the the fourth largest consumer data breach ever, and demonstrates yet again that the usual security lessons have not been learnt.

If you have a VTech account or accounts on any of their associated websites (listed here), then you should immediately change your password (if that's possible - a number of their sites are now suspended).

There's not much you can do about your other details that are now available to the world, but it is good practice to be very cautious in disclosing the personal details of children on the web. At the very least, never use children's real birthdays - always use fake birthdays that don't disclose the day, month or year of their birth. That's a practice worth extending to your own social media accounts.

More details on the hack can be found at Motherboard.

Posted by John Faulds in