VTech said an unauthorized party accessed its Learning Lodge app store database containing general user profile information including name, e-mail address, encrypted password, secret question and answer for password retrieval, mailing address, IP address and download history. The company emphasized that no payment card information was accessed.
In an exclusive interview with Motherboard, the alleged hacker said they gained access to the database via SQL injection. From there, the attacker claimed to have gained root access to the company’s web and database servers. The hacker has no intentions of releasing or selling the data, we're told.
VTech admits it wasn’t even aware of the attack until “a Canadian journalist” asked about the incident.
The toy maker said the compromised database includes customer data from the following countries: USA, Canada, United Kingdom, Republic of Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, Australia and New Zealand.
Motherboard notes that data belonging to 4,833,678 parents was compromised. The dump also includes the first names, genders and birthdays of more than 200,000 children. An expert who viewed the data said it’s possible to link the children to their parents, thus exposing the kids’ full identities.
VTech said it has since fixed the security hole.
Image courtesy VTechToys, YouTube