Vtech, the largest manufacturer of electronic toys, has confirmed that the recent hack of its app store affects more than 10 million accounts that include 6.3 million kid profiles worldwide. The hacking by "an unauthorised party" is the fourth largest consumer data breach.
The company admitted its app store customer database – Learning Lodge – was not secure enough, leading hackers to obtain access to its system. It claims to have taken firm action to guard against future attacks.
In a statement, Vtech said: "In total 4,854,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected, which include approximately 1.2 million Kid Connect parent accounts. In addition, there are 235,708 parent and 227,705 kids' accounts in PlanetVTech. Kid profiles unlike account profiles only include name, gender and birthdate."
The breakdown of people affected in each country suggests that the maximum number of parents and kids affected by the hack are from the US, followed by France and the UK. Other countries are Germany, Canada, Spain, Belgium, the Netherlands, Ireland, Latin America, Australia, Denmark, New Zealand and Luxembourg.
In its response to leak of kids' photos and chat log between parents and children, the company said the images as well as audio files are encrypted by AES128, although the chat logs are without encryption. "Our security protocols require that only undelivered messages are stored temporarily in our server. These messages are set to expire in 30 days," added Vtech.
Along with Learning Lodge, the servers of Kid Connect, which is similar to WhatsApp service, were also hacked. As of now, the app store, the Kid Connect network and a bunch of other sites have been suspended whilst the company is making a security assessment.
The affected consumer databases contain user information such as names, email IDs, passwords, questions and answers for password retrieval, IP addresses, and mailing addresses as well as download history. They do not contain customers' credit card information or any personal identification data such as ID card numbers, social security numbers or driving licence details.