Children’s toymaker VTech has had its app store database breached, potentially exposing the personal data of 4.8 million adults, and over 200,000 children, in one of the biggest breaches in consumer history.
The firm has confirmed that the breach, originally reported by Vice’s Motherboard tech website, occurred on November 14th. The hacker claiming responsibility passed some personal files onto Motherboard.
In a statement to the website, VTech said: "On November 14 [Hong Kong Time] an unauthorised party accessed VTech customer data on our Learning Lodge app store customer database. We were not aware of this unauthorised access until you alerted us."
The company has since written to customers, saying: "Upon discovering the unauthorised access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against further attacks."
It also says that the customer database does not contain any credit card or banking information. The fear is that the data could result in links being made between parents details and their children’s names, potentially revealing the full name and address of children.
Security expert Troy Hunt, who analysed some of the breach records, said that the records were hashed with the MD5 algorithm, not considered particularly robust, and secret questions used for password or account recovery were stored just in plaintext.
Another expert, Professor Alan Woodward, told the BBC that he thought the attack looked like it had been conducted via SQL injection.