United Kingdom police have arrested a 21-year-old man, whose name remains unidentified, in connection to the VTech toy security breach that exposed millions of children and adults.
While charges have yet to be made, he is being held on “suspicion of unauthorized access to computer[s] to facilitate the commission of an offense,” but the investigation is still in the early stages. The arrest was made by South East Regional Organized Crime Unit (SEROCU) in Bracknell, a town located 30 miles west of London.
Last month, the breach affected users of VTech’s Learning Lodge app and Kids Connect chat program, and allowed attackers to collect over 200GB worth of photos, chat logs, and other private information. VTech said that 4,854,209 parental accounts and 6,368,509 kid profiles were affected and the cyberattack went global. The Hong Kong-based company has customer databases in the United States, Canada, United Kingdom, Republic of Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Hong Kong, China, Australia and New Zealand, in addition to various Latin American countries.
News of the breach broke in late November via Vice’s Motherboard website, which noted that the hacker had no additional plans to publish or share the stolen data. Motherboard said that the hack began two months ago when the individual stumbled upon a thread in a forum of people dedicated to hacking the Innotab, a VTech tablet for children.
The community discussed a web service that VTech uses to manage products, which made the hacker curious. He browsed around until he found one of VTech’s websites, planetvtech.com and noticed that it had a login box powered by Flash. After discovering that the site was vulnerable to the age-old hacking techniques, he used a technique known as SQL injection, where he obtained the maximum level of administrative privileges on the server. After exploring some more, he also found the two databases containing personal data of millions of parents and children.
VTech advised customers to change their passwords and password retrieval information immediately, and temporarily suspended the Kid Connect app where the hacker got the photos. As for the UK man, we will have to sit back and watch what penalty the prosecutors will seek if he is found guilty.
Source: Engadget and Ars Technica
Advertisement
Learn more about Electronic Products Magazine
