Many parents all over the world were shocked on Nov. 27 when VTech Holdings Limited, manufacturer of kids' electronic learning devices and software confirmed a data breach that compromised not only personal information of more than four million parents but of more than 200,000 children as well. That's not even the worse of it - kids' chat logs and photos were also leaked, raising a lot of questions on how VTech handles sensitive data.
Here's a summary of the whole VTech fiasco: On Nov. 14, a hacker breached VTech's Learning Lodge app store servers and obtained several files containing identifiable personal records of registered users (both parents and children), including passwords that were found unencrypted and easily cracked with just a quick web search.
Now here's the unbelievable part: VTech didn't realize that there had been a breach until Motherboard alerted them and only confirmed that information had been compromised on Nov. 27.
"Frankly, it makes me sick that I was able to get all this stuff," the hacker reportedly said in an encrypted chat. As a parent who may have been affected by this massive breach, what could you possibly do now that the damage has been done?
First, it's highly unlikely that your data had been skipped over by the hacker who claimed that the information will not be released publicly or sold but if you want to be sure, access the Have I Been Pwned? website to verify if you have been compromised.
Second, once you've confirmed that your account has been compromised, we suggest that you quickly change your password in all VTech accounts and make sure that none of your other online accounts, whether related to VTech or not, have the same password. Change your security question and answer too because it's nowhere near secure.
Third, as parents and victims, keep in mind that the children will also need to learn safe practices when using anything connected to the internet. The hacker involved in the VTech breach does not seem to have any malicious intent with the information he or she obtained but the same does not apply for other breaches.
VTech's Nov. 30 update revealed no helpful information on their actions to strengthen the security of their servers.
Yes, VTech assures that not even one piece of credit card information was leaked since any type of payment transaction is made through a secure third-party partner. Nevertheless, can parents actually relax knowing that their children's personal information and photos have been compromised and that those data were never really secure in the first place?
Likewise, VTech assures that no personal identification data such as Social Security numbers were stored, but it also confirmed data that are just as alarming. "Our customer database contains user profile information including name, email address, password... IP address, mailing address..." as indicated in its Frequently Asked Questions page for the incident. It appears the company is basically serving its clients in a silver platter for anyone with malicious intent.