VTech, which makes electronic products aimed at children suffered a security breach that has affected some five million accounts. The company acknowledged that an unknown hacker penetrated its security system and stole hundreds of gigabytes of information from company servers.
The breach, which occurred on 24 November, turned up hundreds of pictures of children who use VTech’s products. Motherboard managed to contact the anonymous hacker, who provided a sample of the stolen data as proof of the hack. While the online magazine has been unable to verify the authenticity of the data, VTech’s acknowledgement of the security breach correlates with the information.
The stolen data also includes email addresses, names, passwords, home addresses, and birthdays of some five million accounts; with some 200,000 children. Fortunately, the hacker behind the cyberattack bears no malice towards the company. When asked what he intends to do with the data, the person simply said, “nothing.”
The hacker gained access to VTech’s database by using the SQL injection, a technique widely used by hackers where they insert malicious commands into a website’s entry field, tricking it into returning other data. The data was later analysed by security researcher Troy Hunt, who was discovered that the database itself lacked proper encryption. The passwords of those five million accounts were surprisingly hashed with just an MD5 algorithm; which is considered to be easy for dedicated attackers to decrypt.
VTech stated in its announcement that it is looking at additional ways to maximise the security of its servers. However, in this case it could be a case of too little, too late.