A lack of basic encryption and a flawed system design made it easy for attackers to gain access to the Interactive toy maker’s user data. Alongside user passwords and personal details, the stolen data contained 2.3 million pictures of children.
The inglorious book of massive data thefts just got another top entry: Last week, Interactive toy maker VTech admitted that it’s app store has been breached by hackers. The full extent of the attack was exposed yesterday: The hackers managed to access 4,833,678 user names, passwords, email addresses – and over 2.3 million pictures of children.
According to VTech, no credit card data or other sensitive information was compromised. The problem with this hack is the victim – a company that encourages parents and their children to exchange photos as a nice, fun app feature – and did it without basic data protection.
The data breach was initially exposed by an anonymous hacker, who performed an SQL injection attack to dump data from the app store’s servers. According to security expert Troy Hunt, VTech has failed miserably in protecting the users. For example, they didn’t implement SSL, so the communication between devices, services and it’s servers is encrypted – including passwords, user data and files.
The parents’ password database is protected only by MD5 hash – which is effective only when it comes to strong passwords. Many users still use the same password for several online accounts and even payment services.
The children password database was nothing more than five CSV files, containing lists of plain text; although these passwords aren’t as sensitive as the parents Database, it still shows a system that wasn’t designed with security in mind. All of these flaws are pretty obvious and simple to fix, if the company only bothered to look.
When compared with other online service data theft such as the ALM (Ashley Madison) hack, it’s clear to see just how underprotected were VTech’s systems. The hacker group Impact Team who attacked ALM needed to combine several methods – spear phishing, impersonation, Malware insertion and just then gained access to the user records.
VTech’s case was different: its apps, appstore and database were so easy to access, that security specialists fear the data might have been stolen by several hackers and spread online. It’s hard to assess the attack’s scope, as there weren’t any security tools to monitor its network and discover suspicious data transfers or database access.
The company stated that once the breach has been discovered, it began investigating the case. In order to prevent further data theft, the services are shut down until the exploits could be fixed. This, naturally, was too late for millions of customers.User email addresses are available at HIBP.
It’s time to get angry
Users and corporations experience attacks on a weekly basis, many companies don’t use basic tools to protect their users. But this breach is no ordinary data theft, it exposed children’s personal data – pictures, gender, birthdays, chat logs, address, schools and audio recordings. It’s time for users to get angry, and demand better regulation and enforcement of basic security protocols.
VTech could have used simple SSL protocols to encrypt it’s communication, shield the data using active or passive methods, implement two-stage identity authorization for users etc. – all of which are common practices. Maybe this unusual data breach will drive users to demand better security from online service vendors – and hold VTech liable for every stolen byte.