The Horrifying Vtech Hack Let Someone Download Thousands of Photos of Children

By Adam Clark Estes on at

he latest details about a recent security breach at a toy company are in, and they are disturbing. A couple of weeks ago, hackers successfully broke into the servers of connected toy maker Vtech and stole the personal information of nearly 5 million parents and over 200,000 kids. What we didn’t know until now: the hackers stole pictures of kids, too.

The hacker’s identity is still unknown, but he’s been updating Motherboard with details about the hack. When the story broke a couple days ago, the site reported that the hacker broke into Vtech’s servers and stole the names, emails, passwords, download histories, and home addresses of 4,833,678 parents who bought the company’s devices. The massive batch of data also contained the first names, genders, and birthdays of over 200,000 children. Motherboard’s Lorenzo Francheschi-Bicchierai identified the hack as “the fourth largest consumer data breach to date”.

But then, this afternoon, the story grew more troubling when it became clear that the hacker gained such broad access to Vtech’s servers that he also downloaded about 190-gigabytes of photos from the company’s Kid Connect service. This is a simple little app that lets parents chat with their kid using a Vtech tablet and a smartphone. The images themselves appear to be headshots that Vtech encourages its users to upload when using the app.

The Horrifying Vtech Hack Let Someone Download Thousands of Photos of Children

In a sense, the hack is comparable to someone breaking into Facebook and making off with all of your private information and photos. The major difference, of course, is that we’re talking about a company that makes devices for small children. The Wi-Fi-connected Vtech tablets are recommended for children between the ages of three and nine. Vtech also makes a digital camera and a camera-mounted smartwatch for the same age range. It’s certainly not the kids’ fault that a random hacker can see what they’re doing with their toys.

It is, however, Vtech’s fault. The news is dire enough that the company suspended trading on the Hong Kong stock exchange earlier today. This comes after security researcher Troy Hunt revealed that Vtech failed to take even the most basic steps to secure its customers data — and their children’s. He writes:

For example, there is no SSL anywhere. All communications are over unencrypted connections including when passwords, parent’s details and sensitive information about kids is transmitted. These days, we’re well beyond the point of arguing this is ok – it’s not. Those passwords will match many of the parent’s other accounts and they deserve to be properly protected in transit.

You’d think if you were a children’s toy company hosting photos and addresses of small children on your server you’d at least encrypt the connections. The Vtech hacker says he used an old school SQL injection to break in and get root access to the company’s servers. “It was pretty easy to dump, so someone with darker motives could easily get it,” he told Motherboard. For what it’s worth, the hacker says he doesn’t plan on publishing the data publicly.

It’s hard to decide if you want to be horrified or downright angry about this situation. On one had, the Sony hack and [US retail chain] Target breaches have shown that anyone can be an unwitting victim to a company’s weak security. However, the especially terrible security at Vtech makes you wonder if you should even be letting kids play with internet-connected toys. After all, it was just a few months ago that we learned how the new “Smart Barbie” could spy on kids. What else can go wrong?

I don’t have kids, so my opinion on this matter is somewhat uninformed. I do remember that my first favourite toy was Socrates, an educational robot made by — guess who — Vtech. Who knows what I typed into that little grey box of fun. If my parents ever had half of a suspicion that some pervert could gain access to my toy and watch me play, well, it probably would’ve been back to a Lego-only playtime for me. Now, in 2015, this is a very real possibility.

Say what you will about connected toys and cheap electronics for kids, but this Vtech bonanza should serve as a wakeup call to any and every company cutting corners on security. It should also be a weighty reminder to parents who would buy these devices that companies do cut corners on security. This not only puts their personal data at risk. Neglect puts kids at risk, too. [Motherboard]

Image via Flickr / Getty