In the wake of one of the biggest data breaches in history, where almost 5 million customer accounts were compromised and the details of over 200,000 children were stolen from children's toy and gadget maker VTech, the Chinese company has taken its Learning Lodge website offline as it faces strong criticism of its lackluster security practices.
Learning Lodge, the online portal that allows VTech customers to register accounts for themselves and their children as well as download apps, e-books and other content to their VTech products, has been taken offline in the wake of what is the fourth-largest consumer data breach in history. The move follows the revelation that an unknown hacker, who says he will do "nothing" with the data, revealed information such as names, email addresses, passwords, and home addresses. The hacker was also able to access data about the children using VTech's range of computers, tablets and other gadgets, including their first names, date of birth and gender. Even more worrying, the way the company stored information allowed anyone with access to the data to link the parents to their children, revealing their full identity.
This final fact was discovered by Troy Hunt, a security expert and operator of the Have I Been Pwned? service, which allows anyone to search databases of known hacks to see if their details have been compromised. According to the service, which has now been updated with the details from the VTech database, this is the fourth-largest consumer data breach in history. In a blog post, Hunt pointed out that he is more worried about the ongoing problems at VTech despite the company's statements that seem to suggest the problems have been fixed.
Hunt was provided with the database by Motherboard's Lorenzo Franceschi-Bicchierai -- who first reported the breach -- and the Hong-Kong-based company has since issued a statement about the breach, saying it has emailed all customers. "Upon discovering the unauthorized access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks." The company went on to try and make the case that the data breach was not as troublesome as it might have been as no financial information was stolen: "It is important to note that our customer database does not contain any credit card information."
The company added that no "personal identification data" was compromised, but Hunt disagrees and believes the statement is simply an attempt to "appease the likes of PCI [Payment Card Industry]", adding that the theft of irreplaceable information is much more worrying and the problems remain in place. "Despite [VTech's] assurances that their system is now secure, they still have gaping holes that allow every kid to be matched with every parent."
Hunt outlines what he calls "serious failings" in the company's implementation of security on the website Learning Lodge where parents register their accounts and where the information was likely stolen from.
Communication with the website does not use any encryption, meaning it is leaving itself open to hackers carrying out man-in-the-middle attacks allowing them to steal passwords, usernames and all the other information that users put into the site when setting up an account, and while they may not be linked to credit card data, the details fed into this website will likely correspond to other online services. "These days, we’re well beyond the point of arguing this is ok – it’s not," Hunt said. "Those passwords will match many of the parent’s other accounts and they deserve to be properly protected in transit."
Hunt also points out that while passwords are nominally encrypted, the method of encryption (MD5 hashing) is "so close to useless...they may as well have not even bothered." Even worse, the security questions and the answers provided by customers are stored in plain text with Hunt pointing out just how serious a breach like this is. "Those security question-and-answer pairs are irrevocable pieces of personal information used to establish identity in all sorts of different places."
Hunt says there is no "quick fix" for these problems and passed on his concerns to VTech, suggesting it take its website offline. The company appears to have listened to the concerns being expressed and says investigations are continuing into the breach.
For his part, Hunt has put all 4.8 million adult customer details into his Have I Been Pwned? database but has not put the children's information into the list, but he makes the prescient warning that "this will be the first of many times their data will be breached, dumped and traded online."