The InnoTab 3 is one of many products that uses VTech's Learning Lodge app store, which suffered a large data breach on Nov. 14. Credit: VTech
The data breach of Hong Kong toy manufacturer VTech appears to have also included photos of children and parents, adding to what could be one of the most surprising leaks of the year.
VTech, which makes cordless phones and what it terms electronic learning devices for kids, apologized on Twitter on Monday. The company said it has suspended the affected service, called Learning Lodge, and is notifying customers.
VTech officials couldn't immediately be reached for comment on Tuesday.
The breach affected a database for VTech's Learning Lodge app store, an online service that connects to many of the company's devices. VTech said the database was accessed on Nov. 14.
The compromised data includes 4.8 million customer email addresses, names and weakly hashed passwords of adult registered users. It also includes the gender, first name and birth dates of more than 200,000 children.
The customer data came from users in the U.S., Canada, U.K., Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Hong Kong, China, Australia, New Zealand and Latin America, VTech said in a FAQ.
The data was passed to Motherboard by the hacker, the publication reported. Motherboard was told the data was obtained by a SQL injection vulnerability.
A SQL injection flaw, one of the most common types of problems with websites, can allow a hacker to enter commands into a Web-based form and get the back-end database to respond.
Some of the VTech data was passed by Motherboard to Troy Hunt, an Australia-based security expert who studies data breaches and runs a notification service called Have I Been Pwned.
He verified the leaked data by contacting some people who had registered for his service, which notifies people if their email addresses turns up in a new data breach.
In a lengthy blog post on Saturday, Hunt's investigation of VTech's Learning Lodge and associated online services turned up numerous egregious security issues.
VTech's account registration services do not use SSL/TLS (Secure Sockets Layer/Transport Layer Security), which encrypts data sent between a user's computer and a service, Hunt wrote. It's considered a high risk to not enable SSL/TLS, particularly when registering accounts with personal information and passwords.
This is one of VTech's account registration panels for parents. Credit: Troy Hunt
Sign up for CIO Asia eNewsletters.