A Chinese company VTech, dealing in electronic toys has faced a massive data breach in which 4.8 million parents and children details are believed to be exposed.
The hacker disclosed all the breached data to Motherboard magazine and Troy hunt (owner of Have I been Pwned service) also confirmed the breach.
There was no credit card information breached in the incident claims the company, but lots of personal data were breached including:
Parent names, Parent emails, Parent passwords, Parent secret question and answers, Parent password hints, Parent login information, Parent registration URL, Parent IP information, Parent addresses, Parent VTech account details, Child names, Child avatar images, Child gender, Child passwords, Child registration URL, Child VTech account details and Child-parent relations
Further analysis on the data disclosed it was from company’s customers from UK, Spain, Germany and France.
The source of the attack is believed to be an SQL injection on the database of the company which allowed hackers to leak details.
A screenshot from the stolen data:
Hunt believes the database was vulnerable to hacking as it was using the outdated platform, relying on ASP.NET 2.0, WCF, SOAP and Flash. While analyzing one of the portals, researchers found SQL queries dumped with other debug data, Hunt said:
“Why they’re returning an SQL statement is absolutely beyond me,” “On seeing the haphazard way that internal database objects and queries are returned to the user, I’ve no doubt in my mind that SQL injection flaws would be rampant [in VTech’s system].”
What was the most troubling part of this breach was that it disclosed lots of personal stuff which doesn’t only include personal details of children and parents, but also the relationship between parents and children and registration URLs used for the registration. The investigator was even able to identify devices kids used and the website they frequently use.
According to the website I Been Pwned, this was the 4th largest data breach, just behind Adobe (152 million accounts), Ashley Madison (30 million + accounts) and 000webshost (13.5 million accounts) breaches.