Pwned: 5 Million Parents and Their Five-Year-Olds
Microsoft security expert Troy Hunt is well-known for maintaining HaveIBeenPwned.com, a website collecting the email addresses and usernames made public in major security breaches in order to warn the victims that their accounts have been compromised. Today, he announced a massive addition to the website’s database: VTech.
Saturday, 28 November 2015 I suspect we're all getting a little bit too conditioned to data breaches lately. They're in…www.troyhunt.com
If you recognize the VTech brand, it might be because you have a child. Their core business is phones, but they’ve been making ELPs (Electronic Learning Products) since the 1980s.
Unfortunately, it seems VTech failed to update their security practices as often as their hardware. Hunt has revealed that almost 5 million parents who entered their personal information in order to register VTech accounts to unlock additional features on tablets purchased for their children have had that information compromised. This represents the fourth-largest breach added to the HaveIBeenPwned.com database to date.
What makes this breach particularly bad is the fact that so many of these accounts were directly tied to child sub-accounts, including their names and profile picture headshots. Not to mention that the security measures that were taken were woefully inadequate: parent account passwords were stored in a basic unsalted MD5 hash, child account passwords were stored in plain text, and SSL was not implemented in any of the systems. Had an attacker been targeting a specific user, the SQL injection attack used to access the database might not have even been necessary to capture their information, unprotected as it was.
VTech responded to the attack by pointing out that credit card information was not affected, but this is hardly the point. A leaked credit card number can be easily cancelled and changed. Names, locations, and other personal information — some of it specifically applying to children — cannot.
This is just another example of insufficient security applied to products which the manufacturers clearly do not regard as potentially compromising. If your kid begs you for a toy tablet, take their hand and lead them to the LEGO aisle instead. Those plastic bricks may be just as pricey, but they’re probably not going to leave your personal information wide open to the internet — yet.