The personal data of up to five million parents and more than 200,000 children was lifted from the servers of digital learning toy manufacturer VTech.
Information was swiped from the Learning Lodge app store database. Learning Lodge is a site that allows consumers to download apps, learning games, E-books and other content to their VTech toys.
Member credit and debit card data has not been stolen. However, an unnamed hacker did get his hands on the names, email addresses and home addresses of the adults, and the first names, genders and birthdays of the children, according to reports from Motherboard.
VTech left a myriad of other sensitive data on its servers, including children’s photos and chat logs, which were generated from the company’s Kid Connect service. Kid Connect is a smartphone app that allows parents and their children to communicate and share images, chats and audio in real time.
“I can get a random Kid Connect account, look through the dump, link them to their circle of friends, and the parent who registered at Learning Lodge [VTech’s app store],” the hacker told Motherboard in an exclusive interview. “I have the personal information of the parent and the profile pictures, emails, [Kid Connect] passwords, nicknames…of everyone in their Kid Connect contacts list.”
The hacker reportedly accessed the data on Nov. 14. After discovering the unauthorized entry on Nov. 24, VTech started a “thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks,” the company noted in a press release.
VTech also confirmed that payment information was not at risk, indicating that the company does not store any credit card data on the Learning Lodge web site. Rather, all customers are redirected to a third-party payment gateway to purchase apps, games and content.