CBSN

VTech toymaker hack exposes parents and kids

Last Updated Dec 1, 2015 10:52 AM EST

VTech Holdings, a Hong Kong-based company that makes electronic toys for kids, says hackers have obtained personal information of almost five million customers, including more than 200,000 children.

Motherboard, which first reported the hack, called it one of the largest known consumer data breaches. "The hacked data includes names, email addresses, passwords, and home addresses of 4,833,678 parents who have bought products sold by VTech," Motherboard reported. The hack also included information on more than 200,000 kids including first names, genders, birthdays and in some cases photographs.

VTech announced the breach on its website Friday and posted a statement, which said in part:

An unauthorized party accessed VTech customer data housed on our Learning Lodge app store database on November 14, 2015 HKT. Learning Lodge allows our customers to download apps, learning games, e-books and other educational content to their VTech products.

Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.

The company noted that its customer database does not contain any credit card information or personal identification information such as social security number or driver's license number.

CNET senior editor Dan Ackerman said it's the kind of breach that happens all too often, especially when companies like toy or appliance makers start venturing into more sophisticated technology. "They're not digital native companies so they may not have the security expertise needed to secure their databases. And this was a fairly simple hack," Ackerman said.

The hacker told Motherboard that they used a simple hacking technique known as SQL injection, which takes advantage of poorly written web applications, to get into the VTech system.

Ryan Kalember, SVP of Cybersecurity Strategy at Proofpoint, said that organizations can mitigate the risk of SQL injection attacks through a combination of technologies including web application firewalls, processes like thoroughly testing applications that access customer databases for these types of vulnerabilities, and training their developers.

VTech said it first learned of the breach on November 24, ten days after the hacker appeared to have gotten access. The company said it immediately began an investigation of the hack, which involved checking the affected site and implementing "measures to defend against any further attacks."

However, Motherboard stated that VTech failed to alert customers of the severity of the breach. The hacker, who has been in contact with Motherboard, claimed that VTech left a lot of sensitive data exposed on its servers, including kids' profile photos and chat logs between children and parents.

"Customer data should always be encrypted or masked, and should only in rare cases be left in file form," Kalember told CBS News in an email. "All too often, however, organizations end up with customer data in spreadsheets on file servers or unencrypted databases."

"What makes this breach different from the run-of-the-mill retail breach is the children's personal data that [was] compromised," Kalember said. "Cyber criminals are not above using a child's information for financial gain, and this is a reminder that parents should hesitate before sharing any of their children's personal information online."

CBS News has reached out to VTech for comment and will update this story as more information becomes available.