Half a million British families, including 750,000 kids, have been affected by the massive hack of Vtech, a manufacturer of electronic devices and toys for children, Channel 4 News has learned.
The hack has left parents furious about the breach which has put personal data, and their children’s sensitive data, photos and messages, at risk.
TalkTalk recently experienced a data theft of 157,000 records, but the VTech breach is one of the largest in history, including 5 million adults’ information.
The hacked database includes 560,487 accounts identified as belonging to people in the United Kingdom the company has tonight confirmed.
A spokesperson for the Information Commissioner’s Office tells Channel 4 News: “We are aware of this incident and are making enquiries.”
Accounts set up by parents for their children are vulnerable with 727,155 British children’s online accounts affected, the company has revealed.
The children’s data included their name, username, gender and date of birth. The data has not yet been, and may not ever be, released.
Prompting outrage from parents, pictures of children taken on the devices, and chat conversations between children and parents stored on the company’s servers, were obtained by the hacker, according to Vice’s tech news site Motherboard, which first reported the breach and posted an edited selection of some of the images.
A Vtech spokesperson did not answer questions from Channel 4 News on the issue of the children’s data but it confirmed “an unauthorized party accessed VTech customer data housed on our Learning Lodge app store database on November 14, 2015.
“The investigation continues as we look at additional ways to strengthen our Learning Lodge database security. We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future.”
The company said it immediately conducted a thorough investigation put in place measures to defend against further attacks.
Michael Smith, from near Luton, said that the hack has left him unable to speak to his son, who he says loves using his Vtech Innotab device – especially to talk to his dad.
“He lives 100 miles away from me and we used the Kid Connect app to stay in touch, so he could message me any time he liked to speak to me or share something with me – it works a lot like WhatsApp.”
And Michael was frustrated that the hack was apparently conducted with such ease – using a common database exploit.
“It would appear it was such a simple hacking technique used to get through their security. Bearing in mind that children’s information is at risk, it’s beyond belief.”
Jodie Watson, from the Isle of Wight, told Channel 4 News that she only got a form email from the company after she contacted them. It reads: “We would like to offer our sincere apologies regarding this issue and assure you that we are treating the matter extremely seriously.”
Ms Watson says her four-year old daughter plays on her Innotab daily, and that the company had not made her aware of the full extent of the hacked information until she was informed by Channel 4 News.
“I definitely would not purchase another item sold by Vtech until the security is upped. At the moment [my daughter] is not allowed on until Vtech have said the problem is sorted.”
The firm took down 13 of its websites in response to the hack, and they remain down today, more than two weeks after the hack occurred.
Security expert Troy Hunt, who runs the Haveibeenpwned.com site that allows people to see if their own email address features in data breaches, has had access to and worked to verify the hacked data.
He told Channel 4 News – “Parents need to think about any info they’ve given VTech and decide what risk that represents. If it’s a reused password then change it everywhere else. Unfortunately in the case of the kids’ exposure though, there’s really nothing they can do.”
Mr Hunt indicated that the hacker was unlikely to share the hacked information more widely but that since the hacker had broken into the system and sent the information to a reporter, it could be in danger of being distributed more widely.
Parents have been discussing on Twitter whether to buy VTech gifts for their children for Christmas in light of the hack.