The data breach that hit the popular toymaker VTech keeps on getting worse.
Less than a day after Motherboard revealed that the hacker who breached the company also obtained thousands of pictures of children and parents, as well as a year’s worth of chat logs, VTech revealed that the breach affected more than 6 million children and not just 200,000.
“In total 4,854,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected.”
“In total 4,854,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected,” the company said in a press release published on Tuesday.
Until now, the Hong Kong-based company, which sells toys and internet-connected gadgets for kids, had tried to downplay the incident. In its first statement last week, the company didn’t mention any number of victims, and didn’t even mention that kids’ data was involved.
On Tuesday, however, VTech finally admitted the breadth of the data breach and even released a chart breaking down the number of victims by country. The majority of victims are in the United States, France, the UK, and Germany.
VTech also admitted that its database “was not as secure as it should have been,” and that it didn’t know of the data breach until Motherboard alerted them. But VTech said last week in an email that “we were not aware of this unauthorized access until you alerted us.”
The company, however, is still misleading the public. VTech declined to confirm whether the hacker accessed thousands of parents and children’s pictures, arguing that its internal investigation is still ongoing. The company also added that the pictures “are encrypted,” but as Motherboard already explained, the encryption is implemented in a way that makes it trivial to break.
“We were not aware of this unauthorized access until you alerted us.”
VTech also wrote that its “security protocols” only require undelivered messages to be stored on their servers, and only for 30 days. Yet, the hacker claims to have gotten his hands on a year’s worth of chat logs, from the end of 2014, until November of this year. Motherboard has received a purported sample of the chat logs, containing messages going back to December 2014.
“mom with this I can make a letter,” reads a message sent on Christmas Day, 2014.
The hacker who broke into VTech’s systems told Motherboard that he never intended to release the data to the public.
”Frankly, it makes me sick that I was able to get all this stuff,” the hacker told me in an encrypted chat on Monday.