Security experts see risks although VTech said no credit card, Social Security or driver license numbers are included in the breached database.
Consumer electronics vendor VTech Holdings warned today of a data breach that affects 5 million customers on its Learning Lodge app store database. Those affected include children as well as parents registered with VTech to obtain kid-friendly apps and educational content.
The breach occurred on Nov. 14, but VTech did not become aware of the attack until Nov. 24.
"Our customer database contains user profile information, including name, email address, password, secret question and answer for password retrieval, IP address, mailing address and download history," VTech officials said in a statement.
According to VTech officials, no credit card data, Social Security numbers or driver license numbers are included in the breached database. After becoming aware of the breach, VTech said that it performed an investigation and added measures to protect against future attacks. Part of those measures include the suspension of the Learning Lodge apps store as well as well as 13 affected VTech Websites
Security experts eWEEK
contacted warned of potential risks even though payment card information wasn't stolen in the VTech breach.
"Names, email addresses, hashed passwords and home addresses were stolen in the VTech breach, which could be used in subsequent phishing and social engineering attacks," Zscaler Chief Information Security Officer Michael Sutton told eWEEK.
"While the passwords were hashed in the database, they can easily be exposed via a dictionary attack, and affected consumers should, therefore, consider them to be compromised and change authentication credentials at any other sites where the same passwords have been used."
Additionally, responses to password recovery questions were also compromised and stored in plain text, and this information could be leveraged to reset passwords at other sites, Sutton said. He suggested that those wishing to know if they were impacted by the VTech breach can do so by searching for their email address at HaveIBeenPwned.com, an online resource that tracks the accounts exposed in many recent high-profile data breaches.
Inga Goddijn, executive vice president of Risk Based Security, warned that consumers should be wary of phishing scams stemming from the VTech breach. "Once information like where you live, what toys or games you have given your child and your email address are known to scammers, it can be fairly easy to put together a malicious email campaign that looks legitimate," Goddijn said.
Tim Erlin, director of IT security and risk strategy at Tripwire, commented that he's not too surprised that VTech was breached, given that VTech is collecting and storing customer data, which makes the company an attractive target. Erlin suggested that all organizations should prepare a response plan before a breach occurs.
"After a breach, there's always an internal discussion about how security products and processes should change to address any gaps identified as complicit in the breach," Erlin told eWEEK.
"I wouldn't expect much public disclosure of internal changes from VTech."
The breach highlights the need for parents and other consumers to be very vigilant about personal information.
Shuman Ghosemajunder, vice president of strategy at Shape Security, commented that parents in general should be very careful about who they give their children's information to and should watch for telltale signs that a company isn't taking security seriously, such as not using Secure Sockets Layer/Transport Layer Security (SSL/TLS) while logging in or submitting sensitive information.
Overall, though, all VTech users should change their passwords immediately. "If a password you use for other services was part of a breach, even if it was encrypted, you should change those passwords as quickly as possible," Erlin said.
Sean Michael Kerner is a senior editor at
InternetNews.com. Follow him on Twitter @TechJournalist