The Hong Kong company Vtech® had been a leading provider of children’s toys throughout the 2000s. According to their website, the company has made over $2372 million in revenue since 2001 with their most popular toys being their talking cow and their children’s camera. Just recently, however, the firm has been ordered to suspend trading and production of its products after exposing a hack that leaked about 4.8 million customers’ personal information.
According to security analyst Troy Hunt, an “unauthorized party hired by Vtech® had accessed private customer data on Vtech’s ‘Learning Lodge’ mobile app”. The data displayed on the app included people’s addresses, their online search history, and even their bank account details. “Some password information was also stolen but was well encrypted keeping their information secure”, reported Hunt.
The breach was first discovered after the stolen personal data was spammed on the Internet containing an entire database of customer information such as the names, addresses, and genders of both the parent and child. Over 227,000 children’s records have been leaked. It is unknown how the company managed to acquire this private information.
“Once the passwords hit the database”, says Hunt, “they’re protected with nothing more than a straight MD5 hash, which is so close to useless for anything but very strong passwords (which people rarely create), they may as well have not even bothered. The kids’ passwords are just plain text. “The vast majority of these passwords would be cracked in next to no time; it’s about the next worst thing you do next to no cryptographic protection at all.”
While Vtech® has been busted in committing illegal espionage (spying on others for personal information), this is not the only occurrence in recent years. The Mattel Inc® company faced a $50 million lawsuit in 2019 after their “wi-fi Barbie dolls” had hidden wiretaps and microphones to record people’s conversations. “Despite the frequency of these incidents, companies are just not getting the message; taking security seriously is something you need to do before a data breach, not something you say afterward to placate people”, concludes Hunt.