The company plans to hired a security consultancy firm to conduct a forensic investigation and "help us to design a new more secure approach to our data security," it said.
Of the 11.6 million accounts affected, 4.8 million belong to parents. The parent data included names, email addresses, weakly hashed passwords, secret questions for password retrieval, IP addresses, mailing addresses and download history. No payment information was compromised.
The leaked data doesn't appear to have been used for criminal purposes yet, VTech said. Since the breach was of its servers, VTech said there doesn't appear to be a risk of children being tracked while using its devices.
Sign up for CIO Asia eNewsletters.