‘Pretty easy’: 200,000+ kids’ photos, names grabbed by hacker from ‘negligent’ company

© Tyrone Siu
Birthdates and photos of 200,000 kids are just the beginning of what a hacker captured from VTech, a maker of educational electronics for children. The theft of passwords, emails and addresses of 4,833,678 parents makes this the fourth largest breach yet.

VTech stored chat logs and other private information in such a way that the hacker felt “sick” at how much he was able to collect.

“Frankly, it makes me sick that I was able to get all this stuff,” the unnamed hacker told Vice’s Motherboard in an encrypted chat. The hacker promises to do “nothing” with the data.

“It was pretty easy to dump, so someone with darker motives could easily get it,” the hacker said.

Parents communicated with their sons and daughters via Kid Connect, a chat service app on which identifying information – like the first name, birthday, and gender of more than 200,000 youngsters – was stored along with photos and further details regarding the account and household. Children aged 3 to 9 are the target demographic for VTech’s tablets, smartwatches and other devices.

VTech announced the November 14 hack on Friday. On Monday, the company removed itself from public trading in Hong Kong, where it is based.

The hacker downloaded 190GB of photos, estimating he has tens to hundreds of thousands of headshots.

“VTech should have the book thrown at them,” the hacker told Motherboard.

The hacker used an old method to gain total access to the consumer data known as an SQL injection, or SQLi. It is executed by simply entering commands into a website’s forms, causing hidden data to reveal itself.

According to Have I Been Pwned, a free web service showing which email addresses have been exposed in a hack, the VTech episode is the fourth largest consumer data breach in history.

“That’s very negligent,” Troy Hunt, creator of Have I Been Pwned, told Motherboard. “They’ve obviously done a really bad job at storing passwords.”

The VTech hack is larger than the January 2014 hacking of Snapchat, but is dwarfed by an October 2013 breach of Adobe, which affected 153 million usernames, email addresses and encrypted passwords.

Earlier this year, a hack revealed 30 million Ashley Madison users’ email addresses, serving as a lesson to adults who need strong protection to conceal their behavior. As news of hundreds of thousands of affected children spreads, the latest breach may serve as a lesson about how much encryption matters to family friendly activities as well.