VTech Hack – Over 7 Million Records Leaked (Children & Parents)

Use Netsparker


And once again, the messy technical flaws of a company are being exposed with the recent VTech hack – it’s really not looking good for them with account passwords ‘secured’ with unsalted md5 hashes and all kinds of private information being leaked includes parents addresses, kids birthdays, genders, secret answers and associated meta-data (IP addresses, download histories and more).

VTech Hacked - Over 7 Million Records Leaked

The attack originally claimed to have leaked only around 220,000 records – but it turns out to be way worse than that. 4.8 million parents and 6.37 million children – including 1.2 million users of its KidConnect messaging service.

Names, home and email addresses, security questions and answers, and more information on millions of families worldwide have been swiped from a top toymaker’s database.

And the birthdays, names, and genders of nearly a quarter of a million kiddies have been accessed, too.

Chinese electronics giant VTech today admitted its systems were compromised on November 14. Miscreants were able to extract customer records from its Learning Lodge app store, which provides downloads of games, books, music and other stuff for VTech toys. The Hong Kong-based biz specializes in making computer-like gizmos for preschool kids to play with, settling them in for a lifetime of fondleslab smearing and internet addiction.

Computer security bloke Troy Hunt says he has seen a copy of the swiped information, and reckons he found “4.8 million unique customer email addresses,” suggesting that many accounts have been raided by hackers.

He also said people’s account passwords were one-way encrypted using MD5, a particularly weak hashing algorithm, meaning simple passwords can be easily cracked and revealed. No salting was used, so off-the-shelf rainbow tables can be used to divulge rudimentary passwords like “children15” or “welcome81”.


So yah pretty serious stuff, with the compromises of KidConnect and Learning Lodge holding some fairly sensitive information on both parents and children. Even though chats, images and audio are encrypted, it turns out they aren’t encrypted very well using a fairly weak algorithm AND weak keys. For example in the md5 hash for the filename they use a hash of the KidConnect username, in uppercase, and a constant value – ‘vtech’ or ‘vtechvtech’.

And the data itself is encrypted with the current time + a PRNG = not a very securely encrypted file.

Toymaker VTech has admitted that millions of kiddies’ online profiles were left exposed to hackers – much higher than the 220,000 first feared.

On Tuesday, the Hong Kong biz confessed in an updated FAQ page that it did not properly secure personal information on 4.8 million parents and 6.37 million children – including 1.2 million users of its KidConnect messaging service.

That admission comes four days after it emerged that a hacker had raided the entertainment company’s customer database.

After families buy VTech’s computer-like toys, which are aimed at preschool tykes, they are encouraged to sign up for online accounts to download apps, music, books and more to the gizmos.

That requires handing over sensitive information, such as parents’ names, email addresses and home addresses, and the birthdays, names, and genders of youngsters. All this data – plus MD5-hashed passwords, secret answers to personal questions for password resets, IP addresses, and download histories – was snatched by an intruder who bypassed VTech’s poor online security.

“Regretfully our database was not as secure as it should have been,” VTech’s FAQ admitted.

So yah, quite a mess for them. They are vehemently claiming no credit card details or social security numbers were leaked – because well that stuff makes you liable.

But everything else was leaked, and honestly – along with it one of the worst crypto implementations I’ve ever seen. If you really want to have a laugh, check it out here:

Seriously.

Source: The Register

Posted in: Database Hacking, Exploits/Vulnerabilities, Privacy


Latest Posts:


RidRelay - SMB Relay Attack For Username Enumeration RidRelay – SMB Relay Attack For Username Enumeration
RidRelay is a Python-based tool to enumerate usernames on a domain where you have no credentials by using a SMB Relay Attack with low privileges.
NetBScanner - NetBIOS Network Scanner NetBScanner – NetBIOS Network Scanner
NetBScanner is a NetBIOS network scanner tool that scans all computers in the IP addresses range you choose, using the NetBIOS protocol.
Metta - Information Security Adversarial Simulation Tool Metta – Information Security Adversarial Simulation Tool
Metta is an information security preparedness tool in Python to help with adversarial simulation and assess security defense preparation and alerts.
Powershell-RAT - Gmail Exfiltration RAT Powershell-RAT – Gmail Exfiltration RAT
Powershell-RAT is a Python-based Gmail exfiltration RAT that can be used a Windows backdoor to send screenshots or other data as an e-mail attachment.
SCADA Hacking - Industrial Systems Woefully Insecure SCADA Hacking – Industrial Systems Woefully Insecure
It seems like SCADA hacking is still a topic in hacker conferences, and it should be with SCADA systems still driving power stations, manufacturing plants etc.
airgeddon - Wireless Security Auditing Script airgeddon – Wireless Security Auditing Script
Airgeddon is a Bash powered multi-use Wireless Security Auditing Script for Linux systems with an extremely extensive feature list.


One Response to VTech Hack – Over 7 Million Records Leaked (Children & Parents)

  1. Anonymous December 4, 2015 at 1:54 am #

    The data hasn’t been leaked.