Digital toy company hack exposes information and risks kids' privacy

Deborah Salmi 10 Dec 2015

Digital toy company hack exposes information and risks kids' privacy

Internet-connected toys gather data on the user and have weak security compared to other computer products.

vtech-innotab Data stolen from children today can be used to build profiles that will cause trouble for them in the future

Digital devices and toys like cameras, smartwatches, and tablets may be on your child's Christmas wish list. But more parents are having second thoughts about placing these items under the tree, because Internet-connected toys gather data on the user and have weak security compared to other computer products.

6 million children's accounts taken by a hacker

This weakness was made very public during the Black Friday shopping bonanza, when a Hong Kong-based digital toy company called VTech lost databases of more than 6 million children and almost 5 million connected parental accounts to a hacker.

By putting the databases together the hacker was able to retrieve personally identifiable information like children's names, ages, and genders, and even pictures and chat logs were found. Parents’ names, email addresses, secret questions and answers, IP addresses, encrypted passwords, and mailing addresses were also accessed. Supposedly the breach did not include credit card or financial account information exposure.

The hacker responsible for breaking into the VTech databases told Motherboard that his only intention was to expose the company's inadequate security practices. There has been no indication or evidence that the data has been put up for sale on hacker forums.

“Profiting from database dumps is not something I do,” the hacker told Lorenzo Franceschi-Bicchierai, a staff writer at VICE Motherboard. “I just want issues made aware of and fixed.”

The company has taken several of its sites and services offline after the breach and hired a security company to improve data security.

Do parents have anything to worry about?

Most parents probably have no idea that their children's data can be compromised, or that there is even anything to worry about. But the danger with stealing even basic pieces of information from a child, is that cybercrooks can begin early to build profiles, setting up the young child for identity theft or other nefarious activities in the future.

"Nowadays it sometimes happens that sophisticated fraudsters use children's data later on, when they come of age, and establish a credit record or 'credit footprint' without the child even knowing it," Diarmuid Thoma, from security firm Trustev, told ZDNet after the hack was exposed.

The Identity Project, a website which educates people about identity theft, share some potential real-life consequences when a child's identity gets stolen.

    1. 1. Young adults could be denied the first credit card they apply for because their credit history will show odd behavior.
    2. 2. Their first medical emergency can have incorrect information, because cybercrooks have used it for medical services.
    3. 3. Their DMV records may be tied to criminal activity, which could complicate their license application.
    4. 4. They will be denied a college loan to pay for school.
    5. 5. They will be denied their first apartment and utilities because their credit check fails.

Should parents stop buying internet-connected toys?

With this type of breach made public, parents will now realize the danger that internet-connected toys at home, and even educational technology used at school, may pose to their children in the future because of the lack of security today.

Refraining from purchasing digital items will actually get harder as the Internet of Things universe expands.

We have already become used to sharing personal information in order to get a better experience, so until children’s online protection improves, parents will have to balance the importance of the information they are willing to give up against the benefits of having it used by a company that provides services (think Google or shopping sites) and factor in the level of risk they are willing to tolerate.

image via

Follow Avast on Facebook, Twitter, YouTube, and Google+ where we keep you updated on cybersecurity news every day.

Related articles

--> -->