A cyberattack targeting Hong Kong-based children’s toy manufacturer VTech has left millions of accounts compromised, putting the data of parents and children alike at risk. The breach took place on Nov. 14; VTech discovered it 10 days later.
What should you know about the VTech hack? Find out more below:
How many people have been affected and how?
On Nov. 30, VTech confirmed that about five million customer accounts and children’s profiles associated with those accounts have been compromised. The hacker, or hackers, was able to access data housed in VTech’s Learning Lodge app store, according to the company. The exposed data includes parents’ names, email addresses, passwords, secret questions and answers used to verify account information, IP addresses, mailing addresses, and download history. Information about children, such as names, genders, and birth dates, have also been taken.
Customers in the United States, France, the United Kingdom, Germany, Canada, Spain, Belgium, the Netherlands, the Republic of Ireland, Latin America, Australia, Denmark, Luxembourg, and New Zealand have been impacted by the breach, according to VTech.
Motherboard reports that photos of children and their parents were also vulnerable. A hacker told the technology news site he or she was able to download nearly 200GB worth of photos from VTech’s Kid Connect Platform, a feature that lets children and parents exchange messages over the company’s products. Audio clips of children speaking have also reportedly been found on the server. VTech hasn’t confirmed this since the investigation is still ongoing, but did say that photos and audio clips stored in its database are encrypted while chat logs are not.
What about credit card numbers?
The database that was breached doesn’t store credit card data, social security numbers or drivers license numbers. VTech says payments are not processed on the Learning Lodge website, but rather via a secure third-party payment gateway.
How did the hacker(s) get in?
VTech’s servers were breached using a technique known as SQL injection, according to Motherboard. This is an attack in which malicious code is injected into forms found on websites, where users typically enter personal data.
The stolen account passwords were hashed, a method of hiding the characters in a password by transforming that passcode into a different string of characters. These passwords, however, were hashed using a specific algorithm known as MD5, which has been said to be easy to crack.
Troy Hunt, the security researcher who verified the attack as part of Motherboard’s investigation, also made some worrisome observations about the state of VTech’s web security in general. According to Hunt, VTech doesn’t use SSL, which creates a secure connection between a website and a visitor’s browser. SSL is a commonly used security feature used across the Internet.
Why is this hack different from others?
The VTech hack follows several other high-profile cybersecurity incidents we’ve seen over the past year, including hacks against Sony and adult hookup site Ashley Madison. But the VTech hack is particularly unsettling for two reasons: It involves the personal data of children, and it’s unclear why VTech was storing this data in the first place. VTech writes that it uses personal information to identify its customers and track their downloads.
When asked for comment and confirmation regarding the details above, VTech pointed TIME to this FAQ document.