VTech hack affects 6.4M children's accounts, 4.9M adults'

A cyberattack on digital toymaker VTech Holdings Ltd exposed the data of 6.4 million children, the company said on Tuesday, in what experts called the largest known hack targeting youngsters.

In Canada, 316,482 children and 237,949 adult accounts affected

Toymaker VTech says a cyberattack on its customer database exposed the data of 6.4 million children, making it what experts call the largest known hack targeting youngsters. (Tyrone Siu/Reuters)

A cyber attack on digital toymaker VTech Holdings Ltd exposed the data of 6.4 million children, the company said on Tuesday, in what experts called the largest known hack targeting youngsters.

The Hong Kong-based firm said the attack on databases for its Learning Lodge app store and Kid Connect messaging system affected even more kids than the 4.9 million adults that the company disclosed on Friday.

Among Canadians, 316,482 children's accounts and 237,949 adults' accounts were affected.

Security experts said they expected the size of the breach would prompt governments to scrutinize VTech and other toymakers to review their security.

"The disclosure of the scope of the breach is troubling," said Jaclyn Falkowski, a spokeswoman for Connecticut's attorney general.

Connecticut and Illinois said on Monday they plan to investigate the breach. Regulators in Hong Kong are also looking into the matter.

"This breach is a parent's nightmare of epic proportions," said Seth Chromick, a threat analyst with network security firm vArmour. "A different approach to security for all organizations is needed."

Wake up call for families

Chris Wysopal, co-founder of cyber security firm Veracode, said it could be a wake up call for families in the same way that the hack on infidelity website Ashley Madison earlier this year made adults realize online data might not be safe.

VTech said in a statement that children's profiles included name, gender and birth date. Stolen adult data included name, mailing address, email address, password retrieval questions, IP address and passwords.

VTech's Kidizoom Smartwatch is seen in this undated handout photo. The company announced Monday that hackers may have accessed personal data of five million customers. (Handout/Canadian Press)

The most VTech customers affected were in the United States, followed by France, the United Kingdom, Germany, Canada, Spain, Belgium and the Netherlands.

Shai Samet, a security expert who audits toymakers for compliance with the U.S. government's Children's Online Privacy Protection Act, said he believed the case would lead many toy companies to "rethink" security protections on children's data.

Technology news site Motherboard, which broke news of the breach last week, reported that the person who claimed responsibility for the hack said "nothing" would be done with the stolen information

Security experts were skeptical, noting that the stolen data could be worth millions of dollars.

"I wouldn't trust him," said Troy Hunt, a security expert who reviewed samples of stolen data and information about the attack for Motherboard.

Justin Harvey, chief security officer with Fidelis Cybersecurity, said stolen records sell for $1 to $4 in 
underground markets. 


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?