Toymaker VTech hit by largest ever hack targeting kids

Before you go, we thought you'd like these...
VTech Says Kids' Photos, Chat Logs Affected by Data Breach

(Reuters) -- A cyber attack on digital toymaker VTech Holdings Ltd exposed the data of 6.4 million children, the company said on Tuesday, in what experts called the largest known hack targeting youngsters.

The Hong Kong-based firm said the attack on databases for its Learning Lodge app store and Kid Connect messaging system affected even more kids than the 4.9 million adults that the company disclosed on Friday.

See below to look back at notable data breaches:

8 PHOTOS
Notable Data Breaches
See Gallery
Toymaker VTech hit by largest ever hack targeting kids
LONDON, ENGLAND - AUGUST 19: A detail of the Ashley Madison website on August 19, 2015 in London, England. Hackers who stole customer information from the cheating site AshleyMadison.com dumped 9.7 gigabytes of data to the dark web on Tuesday fulfilling a threat to release sensitive information including account details, log-ins and credit card details, if Avid Life Media, the owner of the website didn't take Ashley Madison.com offline permanently. (Photo by Carl Court/Getty Images)
The Homeland Security Department headquarters in northwest Washington, Friday, June 5, 2015. China-based hackers are suspected once again of breaking into U.S. government computer networks, and the entire federal workforce could be at risk this time. The Department of Homeland Security said in a statement that data from the Office of Personnel Management _ the human resources department for the federal government _ and the Interior Department had been compromised. (AP Photo/Susan Walsh)
FILE - In this Feb. 5, 2015 file photo, the Anthem logo hangs at the health insurer's corporate headquarters in Indianapolis. Insurers aren't required to encrypt consumers' data under a 1990s federal law that remains the foundation for health care privacy in the Internet age _ a striking omission in light of the cyberattack against Anthem, the nation's second-largest health insurer. (AP Photo/Michael Conroy, File)
Sony Pictures Entertainment headquarters in Culver City, Calif. on Tuesday, Dec. 2, 2014. The FBI has confirmed it is investigating a recent hacking attack at Sony Pictures Entertainment, which caused major internal computer problems at the film studio last week. (AP Photo/Nick Ut)
FILE - In this file photo made Oct. 6, 2009, employee John Abou Nasr pushes shopping carts in the parking lot of a Home Depot in Methuen, Mass. Home Depot's data breach could wind up being among the largest ever for a retailer, but that may not matter to its millions of customers. (AP Photo/Elise Amendola, File)
Shoppers arrive at a Target store in Los Angeles on Thursday, Dec. 19, 2013. Target says that about 40 million credit and debit card accounts may have been affected by a data breach that occurred just as the holiday shopping season shifted into high gear. (AP Photo/Damian Dovarganes)
Graphic shows details of recent notable data breaches by organization; 3c x 7 inches; 146 mm x 177 mm;
of
SEE ALL
BACK TO SLIDE
SHOW CAPTION +
HIDE CAPTION

Security experts said they expected the size of the breach would prompt governments to scrutinize VTech and other toymakers to review their security.

"This breach is a parent's nightmare of epic proportions," said Seth Chromick, a threat analyst with network security firm vArmour. "A different approach to security for all organizations is needed."

Chris Wysopal, co-founder of cyber security firm Veracode, said it could be a wake up call for families in the same way that the hack on infidelity website Ashley Madison earlier this year made adults realize online data might not be safe.

VTech said in a statement on its website that the children's profiles included only name, gender and birth date. Stolen data on their parents included name, mailing address, email address, secret question and answer for password retrieval, IP address, mailing address, download history and encrypted password.

The United States had the most VTech customers whose data was accessed, followed by France, the United Kingdom, Germany, Canada, Spain, Belgium and the Netherlands.

At least two U.S. states have begun investigations into the attack, along with regulators in Hong Kong.

"This case will lead many toy companies to rethink their security protections for children's data," said Shai Samet, founder of Samet Privacy, which audits toymakers for compliance with the U.S. government's Children's Online Privacy Protection Act.

Technology news site Motherboard, which broke news of the breach last week, reported that the person who claimed responsibility for the hack said "nothing" would be done with the stolen information.

Security experts were skeptical, noting that the stolen data could be worth millions of dollars.

"I wouldn't trust him," said Troy Hunt, a security expert who reviewed samples of stolen data and information about the attack for Motherboard.

"I don't believe the word of anyone who compromises a network," said Justin Harvey, chief security officer with Fidelis Cybersecurity.

Harvey noted that stolen records sell for $1 to $4 in underground markets.

Read Full Story

People are Reading