A hacker claiming responsibility for the attack allegedly gained access to the gadget and toy company’s database through a technique known as a SQL injection, in which hackers type malicious commands into a website’s user text box, tricking it into returning other data. The hacker was then able to break into VTech’s web and database servers, where they had full system access.
Personal information on almost 5 million parents and more than 200,000 kids was compromised.
“What’s worse, it’s possible to link the children to their parents, exposing the kids’ full identities and where they live, according to an expert who reviewed the breach for Motherboard,” the publication reports.
Sensitive data from the VTech’s servers was provided to Motherboard a week ago.
The exposed data includes names, email addresses, passwords, and home addresses of millions of parents who have bought products sold by VTech. The dump also includes the first names, genders and birthdays of kids.
“On November 14 [Hong Kong Time] an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database,” Grace Pang, a VTech spokesperson told Motherboard. “We were not aware of this unauthorized access until you alerted us.”
On Nov. 27, the publication asked the hacker what the plan was for the data. The answer: “nothing.”
VTech announced the breach publicly on Nov. 27, but did not disclose the scope of the exposure.
“When it includes their parents as well—along with their home address—and you can link the two and emphatically say ‘Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question),’ I start to run out of superlatives to even describe how bad that is,” security expert Troy Hunt, wrote in a blog post
Read the Original Article Here