The Hong Kong, China-based VTech, a supplier of electronic kids' products, said profiles belonging to nearly 6.4 million children – most of them located in the U.S. and France – were hacked in a recent data breach.
In total, 4,854,209 customer accounts belonging to parents and 6,368,509 related kid profiles were affected worldwide. The U.S. accounted for 2,894,091 of those accounts, while 1,173,497 France-based profiles were hacked. The hacker also stole hundreds of gigabytes worth of profile photos, audio files and chat logs, many belonging to children.
In a statement released Monday, VTech said the database contained profile information including names, email and snail mail addresses, download history and passwords. It also held names, genders and birthdates. VTech noted the database did not store credit card information or personal identification data such as Social Security numbers.
But the hacker behind the breach of VTech, which specializes in electronic learning products, allegedly claimed he tried to teach victims a cybersecurity lesson.
In an exclusive interview with Lorenzo Franceschi-Bicchierai of Motherboard, the unnamed hacker revealed what brought him to hack into VTech's servers and why he decided to expose the company's inadequate security practices.
"All the evidence suggested I wasn't the only person outside of VTech who could have got the data," the hacker said. "Profiting from [database] dumps is not something I do. Especially not if children are involved! I just want issues made aware of and fixed."
These issues included unencrypted communications that pass through the app and much of the information and pictures linked to specific usernames, according to Motherboard. VTech took down some vulnerable portals, including its Learning Lodge app store, which was affected in the hack.
"This hack is a great example of a vendor where 'time to market' is more important than 'security by design,'" Stu Sjouwerman, founder/CEO of the Clearwater, Fla.-based cybersecurity company KnowBe4, stated. "The Internet of Things is a minefield of security pitfalls and bear traps. Credit unions should carefully consider the devices they select for use in their infrastructure."
Dodi Glenn, vice president, cybersecurity at the Ellisville, Mo.-based PC Pitstop, took a different view of the comments posted by VTech claiming no financial information was stolen, such as credit card and Social Security numbers.
"Victims who rely on the same email address and password combinations can still be faced with financial losses," he said. "For example, the victim who banks at Bank of America and uses the email address [email protected] with the password 'fluffy' to access their bank account is likely using this same username/password combination for VTech's website."
Glenn suggested anyone who used, or is using, the VTech website should not only change their password on the VTech site but on all other sites, particularly if the same username/password combination was used.
"Password reuse is a biggie – realistically, you should have a unique password for each of your online accounts," he added.
Additionally, Glenn recommended individuals ensure they have secured their own computers by running an antivirus program, keeping programs updated (both Windows and third-party applications) and using common sense on the digital highways.
"If something looks too good to be true, don't click on it," he said.
The large jump in the number of U.S. breaches recently counted by the San Diego-based Identity Theft Resource Center's weekly breach report includes the VTech incursion. As of Dec. 1, 2015, the number of breaches captured totals 717, just shy of last year's record pace for the same time period (719). With 27 breaches added to the 2015 ITRC Breach List during the past week, the five industry sectors break down as follows: Business 40.4%, medical/healthcare 34.6%, banking/credit/financial 9.2%, government/military 8.1% and education 7.7%.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.