Toy maker VTech says breach hit 6.4 million kids’ accounts

Educational toy maker VTech has said 11.6 million accounts were compromised in a cyberattack last month, including those of 6.4 million children.

The total number of accounts affected is nearly double that reported last week by the security news site Motherboard, which interviewed a hacker who claimed credit for the breach.

Most of the account holders were in the U.S., including 2.2 million parents and 2.8 million children, VTech said Wednesday in Hong King, where the company is based. France, the U.K., Germany and Canada round out the top five countries hit, VTech said in an updated FAQ.

Data breaches have been become a top worry as cybercriminals and hackers probe online systems for weaknesses, resulting in massive breaches of payment card systems, health care data and U.S. government personnel records.

VTech’s breach stands out because it affected millions of children. The profile data leaked included their names, genders and birth dates.

[ ALSO ON CSO: VTech data breach should serve as a warning for parents ]

Reuters reported that the attorney generals of Illinois and Connecticut planned to investigate the breach, which occurred Nov. 14. And Hong Kong’s privacy commissioner for personal data said he would check whether VTech was following data privacy principles.

VTech’s toys include color touchscreen tablets for kids similar to Apple’s iPad. The InnoTab 3 has a camera, and can record video and audio and download apps.

Motherboard also reported that photos of children and parents had been exposed, as well as chat logs. VTech said it couldn’t confirm that images were leaked, but Motherboard published partially obscured images that it said it obtained from the hacker.

VTech said images on its servers are encrypted using the 128-bit Advanced Encryption Standard algorithm.

Chat logs from a VTech messaging service called Kid Connect are also believed to have been exposed, as well as some audio files. VTech said the chat logs were not encrypted, but that the audio files were encrypted using AES 128.

AES is considered a secure cryptographic algorithm and is widely used by the U.S. government. It’s unclear how Motherboard or the hacker would have been able to decrypt the images, since brute-force attacks are nearly impossible.

The security of the encrypted files and images, however, depends on how well VTech protected the private decryption keys, and the release of images raises the question of whether the hacker obtained those as well.

The breach affected the customer database for Learning Lodge, an app store for VTech’s devices, as well as the Kid Connect servers. VTech has suspended both services and 13 websites.

The company plans to hired a security consultancy firm to conduct a forensic investigation and “help us to design a new more secure approach to our data security,” it said.

Of the 11.6 million accounts affected, 4.8 million belong to parents. The parent data included names, email addresses, weakly hashed passwords, secret questions for password retrieval, IP addresses, mailing addresses and download history. No payment information was compromised.

The leaked data doesn’t appear to have been used for criminal purposes yet, VTech said. Since the breach was of its servers, VTech said there doesn’t appear to be a risk of children being tracked while using its devices.