VTech Hacker Obtains Kids' Photos, Chat Logs

It's not just user contact information that's at risk from the VTech hack; actual chat logs and pictures are targets too.


The full extent of the VTech Holdings breach continues to spiral outward, as even more information is at risk than initially reported. VTech issued a statement on Nov. 30 that admitted the company became aware of a breach on Nov. 24.

According to VTech, information was stolen from its customer database, including user profile information. VTech has also admitted that the breach impacts approximately 5 million consumers. As it turns out, much more personal information was taken than first believed, according to a report from Motherboard, which claims to have been contacted by the hacker behind the data breach.

The report claims that the hacker was also able to obtain 190GB of photos, including both children and parents. The photos were being stored by VTech as well as chat and audio logs between parents and children, used as part of VTech's Kid Connect service.

VTech has already taken what it considers to be precautionary measures, suspending its Learning Lodge apps store as well as well as 13 VTech Websites.

VTech isn't the only manufacturer of childrens' toys that has been the target of hackers this holiday season. Mattel's Hello Barbie doll, which is a WiFi-enabled toy, has also attracted the attention of the security community. According to a report on NBC, security researchers claim that Hello Barbie is a security risk, enabling an attacker to gain access to stored audio files. Hello Barbie is an interactive device that makes use of WiFi to listen and respond to a child's voice.

In light of the latest revelations about toy safety in the Internet era, there are a number of best practices that security experts contacted by eWEEK recommend.

"Continually evaluate how, when and where your child's information is stored or given out on the Internet," Justin Harvey, chief security officer at Fidelis Cybersecurity, suggests. "I recommend putting as little information about your child as possible over the Internet."

Marcus Carey, founder and chief technology officer at vThreat, warns that anything parents put on the Internet about their children, even on social networks, could potentially be used for fraud or even worse.

"Parents should share their children's information on a 'need to know' basis, meaning with schools, health care providers, etc," Carey said.

Parents are not entirely on their own when it comes to online privacy. The Children's Online Privacy Protection Act (COPPA) was passed in 1998. "COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age," explains the U.S Federal Trade Commission in a summary of the act.

Although COPPA was put in place to protect children's privacy, the act does not include any requirements that data about and from children be stored securely, according to Chris Eng, vice president of security research at Veracode.

"It only protects against unscrupulous operators who would misuse children's information," Eng said. "Children, like parents, have no protection from operators that do not put adequate security protections in place."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.