(A sample of edited headshots of children and parents found on VTech servers)
If storing the personal data of almost 5 million parents and more than 200,000 kids wasn’t bad enough, it turns out that hacked toymaker VTech also left thousands of pictures of parents and kids and a year's worth of chat logs stored online in a way easily accessible to hackers.
On Friday, Motherboard revealed that earlier this month a hacker broke into the servers of VTech, a Hong Kong-based company that makes internet-connected gadgets and toys. Inside the servers, the hacker found the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.
Over the weekend, the hacker, who asked to remain anonymous, told me that VTech left other sensitive data exposed on its servers, including kids’ photos and chat logs between children and parents. This data is from the company’s Kid Connect, a service that allows parents using a smartphone app to chat with their kids using a VTech tablet. In online tutorials, the company encourages parents and kids to take headshots and use them in their apps.
VTech did not respond to Motherboard’s request for clarifications as to why the company even stored this information on their servers in the first place. As security researcher Mark Nunnikhoven wrote in response to the hack, companies should be careful what data they collect and store, evaluating what are the risk in case that data gets stolen.
”Frankly, it makes me sick that I was able to get all this stuff.”
While probing VTech servers, the hacker found tens of thousands of pictures of parents and kids. Some are blank, or duplicates, so it’s hard to establish exactly how many are legitimate pictures. But the hacker said he was able to download more than 190GB worth of photos, and considering that there were 2.3 million users registered in the Kid Connect service, it’s likely there were tens of thousands, or more, headshots of parents and kids, according to the hacker.
The hacker shared a sample of 3,832 image files with Motherboard for verification purposes, but he also said he doesn’t intend to publish or sell the data.
”Frankly, it makes me sick that I was able to get all this stuff,” the hacker told me in an encrypted chat. ”VTech should have the book thrown at them.”
But it’s not just pictures. The server also contained chat messages exchanged between parents and their children. The oldest logs were dated from the end of last year, while the most recent ones were from November of this year.
“Roses are red vilets [sic] are blue and I love you. Mommy and daddy,” read one of the messages, according to a log that the hacker shared with Motherboard.
“You are my HERO!Daddy!100 percent!” read another.
The server even contained several audio files. Some appear to be recordings of kid’s voices, according to the hacker, who shared one file with me.
In most, if not all, of these cases, the logs, pictures, and recordings can be traced back to specific usernames, allowing anyone in possession of the hacked data to identify the people chatting as well as those in the pictures. (I have reached out to the parent of the kid in the recording above, but haven’t heard back yet.)
“I can get a random Kid Connect account, look through the dump, link them to their circle of friends, and the parent who registered at Learning Lodge [VTech’s app store],” the hacker told Motherboard. “I have the personal information of the parent and the profile pictures, emails, [Kid Connect] passwords, nicknames...of everyone in their Kid Connect contacts list.”
The company, in the meantime, has taken down “as a precautionary measure” some of its vulnerable portals, such as the Learning Lodge, as well as a dozen websites, VTech announced in a press release.
“That's the responsible thing to do until they can fix them,” Troy Hunt, a security researcher who helped me analyze the breach, tweeted over the weekend.
But for millions of VTech customers and their children, it’s too little too late.