As the Hong Kong-based toymaker VTech reels from a massive hack that exposed the personal data of millions of parents and children, including their names, home addresses, and even pictures and chat logs, something has remained shrouded in mystery: Who is behind the hack? And why did they do it?
In early November, a hacker, who requested to remain anonymous, approached me online, and told me about some interesting data he had found on the servers of a company that made children’s tablets. The hacker said the data showed that the company was guilty of using “shitty security.”
The hacker later revealed that the company was VTech, and he shared some of the data he was able to obtain with Motherboard. In turn, I shared that data with security expert Troy Hunt, so that he could analyze it, and help victims figure out if they were part of the breach.
“I just want issues made aware of and fixed.”
Since the very beginning, the hacker made it clear to me that publishing the data, or selling it on an online market, was never his intention. Yet, until Tuesday, the hacker had remained largely silent.
But in an exclusive interview with Motherboard, the hacker finally revealed what brought him to hack into VTech’s servers, and why he decided to expose the company’s inadequate security practices.
As it turns out, it all started around “two months ago,” when the hacker said he randomly stumbled upon a thread in a forum of people dedicated to hacking the Innotab, a VTech tablet for kids. The forum shows that there’s an active community of hackers who like to tinker with the tablet, mostly “for the lulz,” as the hacker put it. For example, one member was able to install and play the famous 1990s video game Doom on the tablet.
In the thread, a forum member discussed a webservice that VTech uses to manage all products.
That got the hacker curious. In the following weeks, he “browsed around” until he found one of the many VTech websites, planetvtech.com. The hacker noticed that the site was using Flash, and had a login box. He then quickly found out the site was vulnerable to the ancient, yet still very effective, hacking technique known as SQL injection.
The hacker then quickly obtained the maximum level or administrative privileges on the server, known as “root” in technical jargon, and realized he could basically do whatever he wanted.
“Holy fuck, I have root, that was easy...what can I find?“ the hacker recalled thinking.
At that point he started poking around, pivoted to other VTech servers, and was able to find some data. At some point, the hacker said, he found the two databases containing the personal data of millions of parents and thousands of children.
“When I got the [database] dumps, I realized how serious it was,” he told me in an encrypted chat.
And that’s when he reached out to me. And he decided to go straight to a reporter, rather than contact VTech, because he thought the company “would never listen” to him, and might even have tried to cover the breach up. Also, judging by the poor level of security he saw on VTech’s servers, he was worried others could get access to that data, or had already accessed it.
“All the evidence suggested I wasn't the only person outside of VTech who could have got the data,” he said.
The hacker, in any case, never wanted to publish the data or profit from it though, because that’s something that’s “morally wrong.”
“Profiting from [database] dumps is not something I do. Especially not if children are involved!“ he said. “I just want issues made aware of and fixed.”
“When I got the [database] dumps, I realized how serious it was.”
After Motherboard alerted the company of the breach, VTech publicly admitted the hack on Friday of last week. News of the breach then quickly spread, and all major news publications all over the world, including BBC, CNN, The New York Times, and even the TV news show Good Morning America, covered it. Considering all this attention, “as much coverage as I could have hoped for,” the hacker said he felt he succeeded at raising awareness of the vulnerabilities.
Still, the hacker added that he’s “pretty sure there's tons and tons of issues yet to be found,” and that he might keep looking for them as soon as VTech comes back online. (The company has taken several of its sites and services offline after the breach.)
Otherwise, the hacker added, he might move on to a new target, “maybe into VTech's competitors; I don't know.”