back to article Millions of families hit in toymaker VTech hack – including 200,000+ kids

Names, home and email addresses, security questions and answers, and more information on millions of families worldwide have been swiped from a top toymaker's database. And the birthdays, names, and genders of nearly a quarter of a million kiddies have been accessed, too. Chinese electronics giant VTech today admitted its …

Devil

Naff

It can't be just me but I take one look at these toys and equate them to naff over priced tat and run a mile.

5
0
Silver badge

Re: Naff

Our littlun got given one for xmas a few years back by a family member.

They're not bad pieces of kit, per se, but definitely shouldn't go for the price they do. But VTech are out and out robbing bastards (the one cartridge that comes with the tablet is loaded with nothing but ads).

Not received an email, but logged in to check what might have been lost

- kids name: beetlejuice

- kids dob: wrong day,month and year

- account email: dedicated mailbox

- account pass: random string unique to vtech

- address: 200 miles out

Some would say I have trust issues, but time and time again I seem to be being proven right.

Companies need to stop asking for data they don't need and can't protect

43
0

Re: Naff

You don't have trust issues. Lots of other people have them, serious ones, but your trust systems seem to be doing quite well.

11
0
Silver badge
Thumb Up

Re: Naff @BEN

"Some would say I have trust issues"

I fail to see how you could possibly have trust issues. You obviously distrust everyone on the interwebs. Why on earth should you trust them anyway?

Seriously, only an idiot would would give valid data to anyone online or offline for that matter where it's not needed.

Have an upvote.

4
0
Silver badge

Re: Naff

"Some would say I have trust issues"

No you don't but plenty of companies do, so it seems.

4
0
Silver badge

Re: Naff

It amazes me VTech tablets still sell when a landfill android could be yours for less money. On the other hand it's probably only a matter of time before google play splaffs ones personal details everywhere - either by accident or design.

Proverbs for Paranoids No. 3

3
0

Re: Naff

They sell partly (I imagine) because they're more robust than an ordinary Android one. If you give something to a child they WILL break it, mostly by accident, so the longer the thing survives before it breaks the better.

4
0
Silver badge
Childcatcher

Re: Naff

"Some would say I have trust issues"

As others have suggested, it's others who have trust issues in that they are too trusting with the information they dish out.

Given that this one does have a 'think of the children' slant, we can hope that finally people will sit up and take notice, and begin to question why companies want our data, what they do with it, and whether they can be trusted to keep it safe*.

The first problem is that unless this hits the mainstream news, like the TalkTalk hack, the only people who will ever know about it are the people directly affected, and those who read about it on sites like this one.

The second problem is that even if it does hit the mainstream news (based on what I've heard people saying in response to the TalkTalk problem) most people still won't understand the issues, and will carry on as before.

A side problem is that sometimes we have to give up accurate information - for example if the company needs to do a credit check. That doesn't necessarily mean we trust them with it, though. It just means we swear at the monitor, type the necessary info in, then turn around and bend over. I don't know why keyboards don't come with a detachable 'Enter' key that we can place on the floor behind us. Much easier to drive the point home.

* Answer: nobody can ever truly know that about a company until it's too late, at which point the answer is "no"

1
0
Silver badge

Re: Naff

The second problem is that even if it does hit the mainstream news (based on what I've heard people saying in response to the TalkTalk problem) most people still won't understand the issues, and will carry on as before.

Especially as VTech are playing the same card as TalkTalk - focusing on direct financial consequences (we don't store credit card details) - rather than acknowledging that losing non-financial data can also be harmful.

As an example, a particularly "entertaining" section from their official statement

In addition, our customer database does not contain any personal identification data (such as ID card numbers, Social Security numbers or driving license numbers).

Correct, but they did lose (from earlier in their statement)

- Name

- Secret question and answer

- Mailing address

- IP address

Which is pretty identifying. Given people re-use secret questions all the damn time, that's more than enough for me to get in contact as "your ISP". All I need to find is a phone number, which is fairly simple given the information above.

I'd have more respect for them if their statement simply read "We fucked up"

1
1
Silver badge

vTech vs. Android

The vTech kit also has the advantage of not needing internet connectivity, so the kids aren't burning your money with micro-transactions or finding their way onto the not quite as child-friendly parts of the internet. That being said, yeah, their prices are fairly ridiculous compared to modern devices.

2
0

Re: Naff

The question with giving private info to corporations and government is not "are you paranoid", but rather "are you paranoid ENOUGH"?

For instance, can that dedicated mailbox be linked to you in any way, for instance by looking at the admin details for the domain if you happen to own the domain? etc.

So long as they keep asking for details they don't need, I'll keep providing answers they don't want.

1
0
Silver badge
Facepalm

Yet...

The IoT juggernaut roils on unabated.

7
0
Silver badge
Facepalm

You are connected to the interwebs...

And you get hacked, fact of life.

Moving on... A computer is hacked and you can (Daft punk's Technologic sounds in the background) wipe, re-install, format, disinfect, update, remove, inspect, tamper, re-configure, install, copy, compile, code, patch, upgrade paste...

What can you do to your IoT toaster, tv, heating, smart metter?

Answer: NOOOOOOOTHING!

And yes, I'm drunk! It's Friday!

7
0
Joke

Easily fixed

Just rename your kids (remembering to use a mixture of upper and lower case and include numbers and symbols)

22
0
Silver badge

Re: Easily fixed

That's an unusual name you have there, Mr Horse-Battery-Staple, how did you did you come by it, if you don't mind my asking? Obligatory XKCD reference: https://xkcd.com/936/

1
0
Silver badge
Facepalm

Re: Easily fixed

@Tromos

Just get them a QR Code tattoo on the forehead and have your smartphone remember who they are.

1
0
Anonymous Coward

Re: Easily fixed

Or better still... Don't have kids at all and save the planet. (I may need to provide more proof here.)

3
1
Silver badge

Re: Easily fixed

Interestingly, alarm bells should have gone off when Mrs Tables had so much trouble registering her son's device.

https://xkcd.com/327/

4
0
Silver badge

Re: Easily fixed

I had to give you an up-vote, but her name is Mrs. Roberts, Bobby Tables is her son's nick-name.

Much like her daughter, Help I'm trapped in a driver's license factory, is called Elaine, which is her middle name.

..I may have spent too much time reading XKCD.

0
0
Anonymous Coward

May as well get used to it kiddies. This is the world you live in.

Just give them a year free credit monitoring.

3
0
Silver badge
Trollface

Meanwhile in 2035

Dad, I'm trying to buy a moped on installments but no shop would pass my credit check, I do not understand why, I just got my first job and I own to nobody...

Junior, I'm sorry your vtech account was hacked when you were 5 and your identity stolen, your mum and I always wanted to talk to you about it... but we know nothing about IT so...

18
0
Anonymous Coward

VTech just hacked in, yo!

The subtitles are writing themselves.

1
0
Silver badge

MD5, a particularly weak hashing algorithm

Not really. Yes, you can construct a collision but in this case you are forced to use printable ASCII of limited length to find a text that hashes to the same unknown password. That does not sound practical. Worse is the absence of salt, which leads to a nice rainbow table attack possibility.

8
0
Silver badge

Yep. If you follow Troy's blog, he just Googled the hash string. Can't do that with salted hashes.

2
0
Silver badge

I would assume that an attacker would do it the other way around where a bunch of passwords are taken from a dictionary or brute-force algorithm, ran through an MD5 hash, then compared the results to the list of stolen passwords. A modern GPU could burn through about 2 Billion passwords per second (A report found that an nVidia 8800 Ultra could do 200 million per second with approx 576 GFlops of computational power; its modern equivalent, the GeForce Titan X has about 6100 GFlops of oomph), so going through the most common passwords and most of the English language would probably take an afternoon, throw a botnet / AWS at the problem and you could burn through a significant part of the possible table space in a couple days.

Of course this assumes that you don't already have a bunch of rainbow tables sitting around already.

0
0
Childcatcher

# A B C D E F G #

All your details belong to me!

3
0
Anonymous Coward

I'm confused, I have a Leapfrog my pal scout. Never registered with VTech and yet I am on haveibeenpwned as being part of said hack (though they would have got nothing)

Leapfrog (NYSE) have no connection to VTech (HKSE) other than selling the same type of toys.

I decided to test this and did a forgot password. I logged in and all they have information wise is country ireland (wrong), no device, no kids, no address.

I then decided to test a spurious email address (bob@bob.com) just to check if it is a way of getting email addresses, no dice for bob.

This leads me to believe that Leapfrog sold my (crap) information to VTech.

Is this legal?

0
0
Silver badge

"This leads me to believe that Leapfrog sold my (crap) information to VTech.

Is this legal?"

Leapfrog are US based, so yes. Although I'm not sure your chain of events is watertight proof that they did.

0
0

VTech?

Didn't they use to make cordless phones/answering machines?

2
0
Bronze badge

"does not contain any personal identification data"

like name, address, DOB, gender...

6
0
Silver badge

Since that quote refers to social security numbers and such like, the only possible response is a slight misquote:

You are not a free man, you are a number!

1
0
Anonymous Coward

"I will not be pushed, filed, stamped, indexed, briefed, debriefed, or numbered!"

Yes, you will. You will also be taxed, re-taxed, seized, inflated-away, button-pushed, newspeaked, lawfared, crimethoughted, arrested, re-arrested, terrorised, observed, xkeystored, sold, resold and owned.

2
0
Silver badge
Pint

And with any luck you'll be sent in, sent back, queried, lost, found, subjected to public enquiry, lost again, and finally buried in soft peat for three months. Dunno about being recycled as firelighters.

Peat. Hmmm, whisky.

2
0
Anonymous Coward

Whisky made from peon tears? I say!

0
0
Silver badge

You forgot ...

"I will not be pushed, filed, stamped, indexed, briefed, debriefed, or numbered!"

Yes, you will. You will also be taxed, re-taxed, seized, inflated-away, button-pushed, newspeaked, lawfared, crimethoughted, arrested, re-arrested, terrorised, observed, xkeystored, sold, resold and owned.

... folded, mutilated, and spindled.

3
0
Silver badge
Unhappy

Re: You forgot ...

"... folded, mutilated, and spindled."

Damn you!

I've spent half and hour trying (failing) to remember the Sci-Fi story I saw that in.

1
0

Oh dear...

Apparently gaining personal info via hacking nowadays is child play..

D

2
0
Silver badge

Another week, another hack

You know the drill.

0
0
Gold badge
Childcatcher

TOFTC

Oh yes.

Definitely.

0
0
Silver badge

Bah!

Crow away, El Reg, but during this session you served me up a page attempting to trick me into visiting "a Firefox security update" page when I rolled over one of the ads.

0
0
Joke

Re: Bah!

ads? What are these "ads" you speak of?

1
0
Meh

Dear Valued Customer?

Seems a bit impersonal for something so important. The irony is the hackers have more personal data to hand than the vendor.

2
0

This is happening too often …

The real problem is that everybody here knows what’s wrong with the setup but nobody in the Real World seems to know.

Ordinary adults still still naively submit personal details to morons who don’t know how to keep a secret.

Personally I lie about every non-essential detail, and create a unique password for every new online account. Most normal human beings can’t be bothered or don’t understand the risks.

It’s about time that practical standards of security were created and that all vendors collecting personal information be required to adhere to them, or at least to indicate whether they do or not. In Australia, at least, banking, public transport and trades, to name a few, are all regulated. There is no reason that the same consumer protection can’t be applied to privacy & security.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017