A Hong Kong-based digital toy maker was recently hacked, exposing data from five million people, including children. VTech, which sells tablets and other educational electronics, announced that on November 14, its online learning portal Learning Lodge was hacked, releasing nearly 200 gigabytes worth of photos of parents and children who registered to use the site in addition to chat logs and recorded conversions.
The hacker, who positioned himself a whitehat, vowed not to publish or sell the data, and instead, went straight to the press with his findings, providing Motherboard with a sample containing 3,832 images and one audio recorded for verification sake. Remaining anonymous, the hacker explained that he breached planetvtech.com, one of VTech’s many sites, using the age-old SQL injection technique. From a security standpoint, this kind of vulnerability is down-right shameful, as any business the slightest bit concerned about cybersecurity would’ve mitigated this risk a long time ago.
Image via Motherboard
Make no mistake, the dump also contained real names, email addresses, IP addresses, mailing addresses, and even the answer to security question of the parent-created account, making it easy to track down the physical address of any child linked to the adult. This makes the situation all the more eye-opening, as it highlights how just vulnerable our children’s footprint is; while adults may willingly consent to upload their private information online, children cannot, and will continue being a part of the collateral damage that stems from data leaks so long as we willingly submit their data. Less important is the fact that no credit card information was stolen.
Speaking with Motherboard, the hacker explains that situation started two months ago, while he was browsing a forum dedicated toward hacking the Innotab, a VTech tablet for children. The forum goers are mostly tinkerers of sorts, dabbling with things like running the classic PC game Doom on the tablet — a hallmark of IoT hacking.
After learning what he could about the web services used to manage VTech’s products, the hacker decided to see things for himself, and discovered that the version of Flash used to run planetvtech’s login box was vulnerable to SQL injection. Within no time at all, he successfully commandeered admin rights and downloaded its databases.
As far as hacking is concerned, any script-kiddie running an SQL Injector could’ve technically produced the same results (assuming the operation was as simple as the hacker made it out to be). This makes you wonder exactly how many people may have already extracted the data.
Source: NYTimes and Motherboard
Advertisement
Learn more about Electronic Products Magazine
