back to article Millions of families hit in toymaker VTech hack – including 200,000+ kids

Names, home and email addresses, security questions and answers, and more information on millions of families worldwide have been swiped from a top toymaker's database. And the birthdays, names, and genders of nearly a quarter of a million kiddies have been accessed, too. Chinese electronics giant VTech today admitted its …

  1. cosymart
    Devil

    Naff

    It can't be just me but I take one look at these toys and equate them to naff over priced tat and run a mile.

    1. Ben Tasker

      Re: Naff

      Our littlun got given one for xmas a few years back by a family member.

      They're not bad pieces of kit, per se, but definitely shouldn't go for the price they do. But VTech are out and out robbing bastards (the one cartridge that comes with the tablet is loaded with nothing but ads).

      Not received an email, but logged in to check what might have been lost

      - kids name: beetlejuice

      - kids dob: wrong day,month and year

      - account email: dedicated mailbox

      - account pass: random string unique to vtech

      - address: 200 miles out

      Some would say I have trust issues, but time and time again I seem to be being proven right.

      Companies need to stop asking for data they don't need and can't protect

      1. als1232

        Re: Naff

        You don't have trust issues. Lots of other people have them, serious ones, but your trust systems seem to be doing quite well.

      2. PNGuinn
        Thumb Up

        Re: Naff @BEN

        "Some would say I have trust issues"

        I fail to see how you could possibly have trust issues. You obviously distrust everyone on the interwebs. Why on earth should you trust them anyway?

        Seriously, only an idiot would would give valid data to anyone online or offline for that matter where it's not needed.

        Have an upvote.

      3. Doctor Syntax Silver badge

        Re: Naff

        "Some would say I have trust issues"

        No you don't but plenty of companies do, so it seems.

      4. MyffyW Silver badge

        Re: Naff

        It amazes me VTech tablets still sell when a landfill android could be yours for less money. On the other hand it's probably only a matter of time before google play splaffs ones personal details everywhere - either by accident or design.

        Proverbs for Paranoids No. 3

        1. Anonymous Coward
          Anonymous Coward

          Re: Naff

          They sell partly (I imagine) because they're more robust than an ordinary Android one. If you give something to a child they WILL break it, mostly by accident, so the longer the thing survives before it breaks the better.

        2. Crazy Operations Guy

          vTech vs. Android

          The vTech kit also has the advantage of not needing internet connectivity, so the kids aren't burning your money with micro-transactions or finding their way onto the not quite as child-friendly parts of the internet. That being said, yeah, their prices are fairly ridiculous compared to modern devices.

      5. VinceH
        Childcatcher

        Re: Naff

        "Some would say I have trust issues"

        As others have suggested, it's others who have trust issues in that they are too trusting with the information they dish out.

        Given that this one does have a 'think of the children' slant, we can hope that finally people will sit up and take notice, and begin to question why companies want our data, what they do with it, and whether they can be trusted to keep it safe*.

        The first problem is that unless this hits the mainstream news, like the TalkTalk hack, the only people who will ever know about it are the people directly affected, and those who read about it on sites like this one.

        The second problem is that even if it does hit the mainstream news (based on what I've heard people saying in response to the TalkTalk problem) most people still won't understand the issues, and will carry on as before.

        A side problem is that sometimes we have to give up accurate information - for example if the company needs to do a credit check. That doesn't necessarily mean we trust them with it, though. It just means we swear at the monitor, type the necessary info in, then turn around and bend over. I don't know why keyboards don't come with a detachable 'Enter' key that we can place on the floor behind us. Much easier to drive the point home.

        * Answer: nobody can ever truly know that about a company until it's too late, at which point the answer is "no"

        1. Ben Tasker

          Re: Naff

          The second problem is that even if it does hit the mainstream news (based on what I've heard people saying in response to the TalkTalk problem) most people still won't understand the issues, and will carry on as before.

          Especially as VTech are playing the same card as TalkTalk - focusing on direct financial consequences (we don't store credit card details) - rather than acknowledging that losing non-financial data can also be harmful.

          As an example, a particularly "entertaining" section from their official statement

          In addition, our customer database does not contain any personal identification data (such as ID card numbers, Social Security numbers or driving license numbers).

          Correct, but they did lose (from earlier in their statement)

          - Name

          - Secret question and answer

          - Mailing address

          - IP address

          Which is pretty identifying. Given people re-use secret questions all the damn time, that's more than enough for me to get in contact as "your ISP". All I need to find is a phone number, which is fairly simple given the information above.

          I'd have more respect for them if their statement simply read "We fucked up"

      6. raving angry loony

        Re: Naff

        The question with giving private info to corporations and government is not "are you paranoid", but rather "are you paranoid ENOUGH"?

        For instance, can that dedicated mailbox be linked to you in any way, for instance by looking at the admin details for the domain if you happen to own the domain? etc.

        So long as they keep asking for details they don't need, I'll keep providing answers they don't want.

  2. Zog_but_not_the_first
    Facepalm

    Yet...

    The IoT juggernaut roils on unabated.

  3. John Sanders
    Facepalm

    You are connected to the interwebs...

    And you get hacked, fact of life.

    Moving on... A computer is hacked and you can (Daft punk's Technologic sounds in the background) wipe, re-install, format, disinfect, update, remove, inspect, tamper, re-configure, install, copy, compile, code, patch, upgrade paste...

    What can you do to your IoT toaster, tv, heating, smart metter?

    Answer: NOOOOOOOTHING!

    And yes, I'm drunk! It's Friday!

  4. Tromos
    Joke

    Easily fixed

    Just rename your kids (remembering to use a mixture of upper and lower case and include numbers and symbols)

    1. Anonymous Coward
      Anonymous Coward

      Re: Easily fixed

      That's an unusual name you have there, Mr Horse-Battery-Staple, how did you did you come by it, if you don't mind my asking? Obligatory XKCD reference: https://xkcd.com/936/

    2. chivo243 Silver badge
      Facepalm

      Re: Easily fixed

      @Tromos

      Just get them a QR Code tattoo on the forehead and have your smartphone remember who they are.

    3. Anonymous Coward
      Anonymous Coward

      Re: Easily fixed

      Or better still... Don't have kids at all and save the planet. (I may need to provide more proof here.)

    4. Adam 1

      Re: Easily fixed

      Interestingly, alarm bells should have gone off when Mrs Tables had so much trouble registering her son's device.

      https://xkcd.com/327/

      1. Swarthy

        Re: Easily fixed

        I had to give you an up-vote, but her name is Mrs. Roberts, Bobby Tables is her son's nick-name.

        Much like her daughter, Help I'm trapped in a driver's license factory, is called Elaine, which is her middle name.

        ..I may have spent too much time reading XKCD.

  5. Anonymous Coward
    Anonymous Coward

    May as well get used to it kiddies. This is the world you live in.

    Just give them a year free credit monitoring.

  6. John Sanders
    Trollface

    Meanwhile in 2035

    Dad, I'm trying to buy a moped on installments but no shop would pass my credit check, I do not understand why, I just got my first job and I own to nobody...

    Junior, I'm sorry your vtech account was hacked when you were 5 and your identity stolen, your mum and I always wanted to talk to you about it... but we know nothing about IT so...

  7. Anonymous Coward
    Anonymous Coward

    VTech just hacked in, yo!

    The subtitles are writing themselves.

  8. Destroy All Monsters Silver badge

    MD5, a particularly weak hashing algorithm

    Not really. Yes, you can construct a collision but in this case you are forced to use printable ASCII of limited length to find a text that hashes to the same unknown password. That does not sound practical. Worse is the absence of salt, which leads to a nice rainbow table attack possibility.

    1. Adam 1

      Yep. If you follow Troy's blog, he just Googled the hash string. Can't do that with salted hashes.

    2. Crazy Operations Guy

      I would assume that an attacker would do it the other way around where a bunch of passwords are taken from a dictionary or brute-force algorithm, ran through an MD5 hash, then compared the results to the list of stolen passwords. A modern GPU could burn through about 2 Billion passwords per second (A report found that an nVidia 8800 Ultra could do 200 million per second with approx 576 GFlops of computational power; its modern equivalent, the GeForce Titan X has about 6100 GFlops of oomph), so going through the most common passwords and most of the English language would probably take an afternoon, throw a botnet / AWS at the problem and you could burn through a significant part of the possible table space in a couple days.

      Of course this assumes that you don't already have a bunch of rainbow tables sitting around already.

  9. ElectricFox
    Childcatcher

    # A B C D E F G #

    All your details belong to me!

  10. Anonymous Coward
    Anonymous Coward

    I'm confused, I have a Leapfrog my pal scout. Never registered with VTech and yet I am on haveibeenpwned as being part of said hack (though they would have got nothing)

    Leapfrog (NYSE) have no connection to VTech (HKSE) other than selling the same type of toys.

    I decided to test this and did a forgot password. I logged in and all they have information wise is country ireland (wrong), no device, no kids, no address.

    I then decided to test a spurious email address (bob@bob.com) just to check if it is a way of getting email addresses, no dice for bob.

    This leads me to believe that Leapfrog sold my (crap) information to VTech.

    Is this legal?

    1. Adam 52 Silver badge

      "This leads me to believe that Leapfrog sold my (crap) information to VTech.

      Is this legal?"

      Leapfrog are US based, so yes. Although I'm not sure your chain of events is watertight proof that they did.

  11. thomas k

    VTech?

    Didn't they use to make cordless phones/answering machines?

  12. cantankerous swineherd

    "does not contain any personal identification data"

    like name, address, DOB, gender...

    1. VinceH

      Since that quote refers to social security numbers and such like, the only possible response is a slight misquote:

      You are not a free man, you are a number!

      1. Anonymous Coward
        Anonymous Coward

        "I will not be pushed, filed, stamped, indexed, briefed, debriefed, or numbered!"

        Yes, you will. You will also be taxed, re-taxed, seized, inflated-away, button-pushed, newspeaked, lawfared, crimethoughted, arrested, re-arrested, terrorised, observed, xkeystored, sold, resold and owned.

        1. Stoneshop
          Pint

          And with any luck you'll be sent in, sent back, queried, lost, found, subjected to public enquiry, lost again, and finally buried in soft peat for three months. Dunno about being recycled as firelighters.

          Peat. Hmmm, whisky.

          1. Anonymous Coward
            Anonymous Coward

            Whisky made from peon tears? I say!

        2. dajames

          You forgot ...

          "I will not be pushed, filed, stamped, indexed, briefed, debriefed, or numbered!"

          Yes, you will. You will also be taxed, re-taxed, seized, inflated-away, button-pushed, newspeaked, lawfared, crimethoughted, arrested, re-arrested, terrorised, observed, xkeystored, sold, resold and owned.

          ... folded, mutilated, and spindled.

          1. Will Godfrey Silver badge
            Unhappy

            Re: You forgot ...

            "... folded, mutilated, and spindled."

            Damn you!

            I've spent half and hour trying (failing) to remember the Sci-Fi story I saw that in.

  13. hi_robb

    Oh dear...

    Apparently gaining personal info via hacking nowadays is child play..

    D

  14. ecofeco Silver badge

    Another week, another hack

    You know the drill.

  15. John Smith 19 Gold badge
    Childcatcher

    TOFTC

    Oh yes.

    Definitely.

  16. Stevie

    Bah!

    Crow away, El Reg, but during this session you served me up a page attempting to trick me into visiting "a Firefox security update" page when I rolled over one of the ads.

    1. Scott 26
      Joke

      Re: Bah!

      ads? What are these "ads" you speak of?

  17. SilverCommentard
    Meh

    Dear Valued Customer?

    Seems a bit impersonal for something so important. The irony is the hackers have more personal data to hand than the vendor.

  18. Mark Simon

    This is happening too often …

    The real problem is that everybody here knows what’s wrong with the setup but nobody in the Real World seems to know.

    Ordinary adults still still naively submit personal details to morons who don’t know how to keep a secret.

    Personally I lie about every non-essential detail, and create a unique password for every new online account. Most normal human beings can’t be bothered or don’t understand the risks.

    It’s about time that practical standards of security were created and that all vendors collecting personal information be required to adhere to them, or at least to indicate whether they do or not. In Australia, at least, banking, public transport and trades, to name a few, are all regulated. There is no reason that the same consumer protection can’t be applied to privacy & security.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon