Toy Tablet Company Hacked; 5M Customer Records Leaked

John Lister's picture

Toy manufacturer VTech has been the victim of a hack that exposed details of five million customers. The compromised data included some details, albeit limited, of the children who use the products.

As its name suggests, VTech's product range includes many electronic toys that have increased in sophistication over the years. These include several tablet computers which don't allow web access, but do let children share messages with friends and family and download child-friendly apps through a system known as the "Learning Lodge."

No Financial Data Compromised

The company has now revealed that a hacker was able to access data from its database of Learning Lodge customer information. It says the compromised data included "user profile information including name, email address, password, secret question and answer for password retrieval, IP address, mailing address and download history. In addition, the database also stores kids information including name, genders and birthdates."

VTech stressed that the database doesn't include any personal identification data such as social security numbers. It also pointed out that all credit card transactions related to Learning Lodge are handled by a third party and thus aren't in the database.

As a precautionary measure, VTech has contacted all customers and temporarily suspended both the Learning Lodge website and the service itself, a suspension that was still in force at the time of writing. The breach was considered so serious that trading in the company's stock was briefly suspended before being reinstated.

Kids' Home Addresses Could Be Found

Security specialist Troy Hunt has noted that although the information VTech had on children was extremely limited, it's made much more serious by being stored in a database alongside the details of parents.

As the database was publicly leaked by the hackers, Hunt was able to analyze it and, by checking with some of the customers, confirm the leaked data was genuine. He found that not only were the passwords stored with the absolute minimum level of encryption, but the security questions and answers on accounts were stored as plain text.

The way the data was set up means its possible to not only identify a specific child through first name, age and gender, but then to use the matching parent's account data to discover the child's surname and physical address. (Source:

One online rights group has reported the breach to the Federal Trade Commission, calling for an investigation into whether VTech has broken the Children's Online Privacy Protection Act, a law which lays down enhanced privacy rules for children aged 11 and younger. (Source:

What's Your Opinion?

Do you have kids or other child relatives who use VTech's Learning Lodge? Are you concerned about the way companies handle data about children? Should firms take additional measures to prevent both direct and indirect identification of specific children by hackers?

Rate this article: 
Average: 4.8 (4 votes)


Dennis Faas's picture

This reminds me of the Target hack a few years back. Sure, there was no credit card data lost in this hack, however, the information alone is a treasure trove for hackers that can build a social profile of the parents.

There should be a mandatory law for companies that generate over X dollars revenue per year, such that all databases be encrypted if that company manages transactions online, or for companies that provide remote access to its databases.

There should also be a strict set of guidelines for best security practices. Random checks should be carried out by the government to ensure compliance; companies that are not in compliance should be penalized. I don't see any better way to help prevent hacks like this from happening.

Syscob Support's picture

Why the “over X dollars revenue” constraint? Anyone, business or individual, keeping data about others should be held legally responsible if that data is compromised. Allowing information about someone to be accessed by another should be a felony and should automatically establish a civil liability to those whose information was leaked.

Maybe that would establish as a fact in the minds of the population in general and the businesses which naïvely imagine a web site can be made secure that ANYTHING ON THE WEB CAN BE HACKED!

ecash's picture

Old computer people learned many lessons on protecting things..
Even NEW internet people have learned many thing about protection..
Server Admins, know allot about protecting DATA..

So, how many companies have Learned NOTHING, of the last 10 years, about online protections..?
Separating the data would be nothing, and requiring a Separate password to open a second system to gather the data, should be easy.
Having a MAIN program to use to READ this data, only..would be nothing..
The AMOUNT of data being addressed, should of put up warnings..
The Person, ISP, and other data OF the persons doing it, should of been Logged, as well as NOTING that they were hitting more then 1 account..
HIDING these files seems abit old hat, but pretty easy, if someone is wondering around a server..

Something is WRONG here. SOMEONE isnt LISTENING(AS IN THE SONY CASE) About how to protect things. And how many people should be WATCHING the servers..