VTech Hack – Over 7 Million Records Leaked (Children & Parents)


And once again, the messy technical flaws of a company are being exposed with the recent VTech hack – it’s really not looking good for them with account passwords ‘secured’ with unsalted md5 hashes and all kinds of private information being leaked includes parents addresses, kids birthdays, genders, secret answers and associated meta-data (IP addresses, download histories and more).

VTech Hacked - Over 7 Million Records Leaked

The attack originally claimed to have leaked only around 220,000 records – but it turns out to be way worse than that. 4.8 million parents and 6.37 million children – including 1.2 million users of its KidConnect messaging service.

Names, home and email addresses, security questions and answers, and more information on millions of families worldwide have been swiped from a top toymaker’s database.

And the birthdays, names, and genders of nearly a quarter of a million kiddies have been accessed, too.

Chinese electronics giant VTech today admitted its systems were compromised on November 14. Miscreants were able to extract customer records from its Learning Lodge app store, which provides downloads of games, books, music and other stuff for VTech toys. The Hong Kong-based biz specializes in making computer-like gizmos for preschool kids to play with, settling them in for a lifetime of fondleslab smearing and internet addiction.

Computer security bloke Troy Hunt says he has seen a copy of the swiped information, and reckons he found “4.8 million unique customer email addresses,” suggesting that many accounts have been raided by hackers.

He also said people’s account passwords were one-way encrypted using MD5, a particularly weak hashing algorithm, meaning simple passwords can be easily cracked and revealed. No salting was used, so off-the-shelf rainbow tables can be used to divulge rudimentary passwords like “children15” or “welcome81”.


So yah pretty serious stuff, with the compromises of KidConnect and Learning Lodge holding some fairly sensitive information on both parents and children. Even though chats, images and audio are encrypted, it turns out they aren’t encrypted very well using a fairly weak algorithm AND weak keys. For example in the md5 hash for the filename they use a hash of the KidConnect username, in uppercase, and a constant value – ‘vtech’ or ‘vtechvtech’.

And the data itself is encrypted with the current time + a PRNG = not a very securely encrypted file.

Toymaker VTech has admitted that millions of kiddies’ online profiles were left exposed to hackers – much higher than the 220,000 first feared.

On Tuesday, the Hong Kong biz confessed in an updated FAQ page that it did not properly secure personal information on 4.8 million parents and 6.37 million children – including 1.2 million users of its KidConnect messaging service.

That admission comes four days after it emerged that a hacker had raided the entertainment company’s customer database.

After families buy VTech’s computer-like toys, which are aimed at preschool tykes, they are encouraged to sign up for online accounts to download apps, music, books and more to the gizmos.

That requires handing over sensitive information, such as parents’ names, email addresses and home addresses, and the birthdays, names, and genders of youngsters. All this data – plus MD5-hashed passwords, secret answers to personal questions for password resets, IP addresses, and download histories – was snatched by an intruder who bypassed VTech’s poor online security.

“Regretfully our database was not as secure as it should have been,” VTech’s FAQ admitted.

So yah, quite a mess for them. They are vehemently claiming no credit card details or social security numbers were leaked – because well that stuff makes you liable.

But everything else was leaked, and honestly – along with it one of the worst crypto implementations I’ve ever seen. If you really want to have a laugh, check it out here:

Seriously.

Source: The Register

Posted in: Database Hacking, Exploits/Vulnerabilities, Privacy


Latest Posts:


LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc
GKE Auditor - Detect Google Kubernetes Engine Misconfigurations GKE Auditor – Detect Google Kubernetes Engine Misconfigurations
GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security & dev teams streamline the configuration process
zANTI - Android Wireless Hacking Tool Free Download zANTI – Android Wireless Hacking Tool Free Download
zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using mobile.


One Response to VTech Hack – Over 7 Million Records Leaked (Children & Parents)

  1. Anonymous December 4, 2015 at 1:54 am #

    The data hasn’t been leaked.