We’ve become accustomed to massive hacks targeting financial and retail institutions, but a recent digital ransacking of a popular kids’ electronics manufacturer shows that anyone is vulnerable—even children.

The Hack

On Monday, children’s electronics manufacturer VTech acknowledged that a data breach on November 14 affected 5 million customer accounts, along with the user profiles of kids connected to those accounts. The hack, first reported by Motherboard over the holiday weekend, specifically targeted VTech’s “Learning Lodge” app store database.

The swiped data includes the names, email addresses, encrypted passwords, security questions and answers, IP addresses, mailing addresses, and download history of Learning Lodge customers. VTech says the hack did not access users’ credit card information or their more sensitive personal information, like Social Security numbers.

Even more troubling, according to documentation provided by the hacker to Motherboard, it appears that VTech also left at least 190GB of kids’ photos, and chats between parents and kids, stored and vulnerable on its servers.

VTech has contacted all affected customers directly, and says that it has “taken thorough actions against future attacks.”

Who’s Affected?

Anyone who’s downloaded an app, game, ebook, or other software onto a VTech product through the Learning Lodge app store, or who used its Kid Connect service, should consider their information compromised. That adds up to a lot of people. VTech makes popular children’s tablets under the InnoTab brand, the InnoTV “educational gaming system,” and even a kid-focused smartwatch and action cam in its Kidizoom line.

While the hack accessed almost 5 million adults’ personal information, Motherboard reports that the names, genders, and birthdays of 200,000 kids were also included scooped up, and that their information could be matched to the more thorough parental data.

How Serious Is This?

There is at least some good news. The hack doesn’t appear to have been openly malicious; the hacker sent Motherboard the information he found to raise awareness of how vulnerable VTech’s database was, and reportedly says he has no intention to expose or sell it. VTech also claims to have not just fixed the existing problem, but to be looking into “additional measures” to strengthen its security.

What’s less encouraging is that had the hacker not come forward voluntarily, this may never have been detected at all. “We received an email from a Canadian journalist asking about the incident on November 23 EST,” the company says in a FAQ for affected customers. “After receiving the email, we carried out an internal investigation and detected some irregular activity on our Learning Lodge website on November 14 HKT.” Before that email came through, VTech had no idea.

The hack is troubling, too, if only as a reminder that the more connected devices we put in the hands (and on the wrists, apparently) of our kids, the more we expose them to the very grown-up problems of a world riddled with questionable cybersecurity practices. Cloud-connected, kid-focused products increasingly fill toy store aisles, whether from VTech or other vendors.

This time, the fallout appears to be a public shaming and a sense of unease. Next time could be significantly worse. In fact, if VTech’s own lack of self-awareness is any indication, “next time” may well have already happened.


Hack Brief: Hacker Strikes Kids’ Gadget Maker VTech to Steal 5 Million Accounts