A hacker got into a customer database for the Learning Lodge app store, where parents can download apps, games and e-books for VTech toys.
VTech, a Chinese company that makes popular electronic toys for kids, had its app store hacked.
An “unauthorized party” accessed customer information in a database for VTech’s Learning Lodge app store on November 14, the company said in a statement Friday. The app store lets parents download apps, games, e-books and educational content to VTech toys.
The database contains customer data including name, email address, password, IP address, mailing address and download history. It does not contain credit card information, the company said.
VTech has not said how many customers were affected, but Motherboard, which first reported the hack, said information on nearly 5 million parents and more than 200,000 kids was exposed. The hacked data included kids’ first names, genders and birthdays, according to Motherboard.
VTech did not respond to a request for more information.
While hackers can have a variety of motives, similar attacks have resulted in customer data being sold on the Web’s black market, allowing criminals to steal goods with another person’s identity. Hackers can use stolen data for a range of phishing attacks designed to target people through their email addresses and get them to click on links to steal even more sensitive information.
Motherboard was notified of the breach by an unidentified hacker who claimed responsibility. The hacker said he intends to do “nothing” with the data, according to Motherboard.
If the number of exposed accounts reported by Motherboard is accurate, VTech would be among the largest hacks in recent years. In August, hackers published data from more 30 million accounts on adultery website Ashley Madison. The personal information of an estimated 110 million Target customers was stolen in 2013 by malware installed on the retailer’s point-of-sale terminals.
Vtech said it is investigating the hack and has taken steps to prevent future hacks.
In short, this security breach has revealed that sensitive and private information on nearly five million families was poorly protected from crooks and identity thieves – families in the US, Canada, United Kingdom, Republic of Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, Australia and New Zealand, we’re told.
The toymaker said in a statement: “Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.
“It is important to note that our customer database does not contain any credit card information and VTech does not process nor store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.”
VTech added it is still investigating the infiltration, and has vowed to shore up its IT defenses. It has also emailed its Learning Lodge customers to warn them of the security breach – here’s a copy sent to El Regby reader Simon:
Dear Valued Customer,
On November 24 HKT we discovered that an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database on November 14 HKT. Our records show that you are a customer of the Learning Lodge.
Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.
It is important to note that our customer database does not contain any credit card or banking information. VTech does not process or store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.
In addition, our customer database does not contain any personal identification data (such as ID card numbers, Social Security numbers or driving license numbers).
Upon discovering the unauthorized access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks. Our investigation continues as we look at additional ways to strengthen our Learning Lodge database security.
King F. Pang
VTech Holdings Limited
VTech was not available for immediate comment.