UPDATE VTech, a company that manufactures electronic learning devices, baby monitors, toys, and other equipment, announced Monday that information from five million customer accounts, which include identity information belonging to children, were accessed in an attack earlier this month.
The news follows up a statement from the company late last week that attackers had infiltrated one of its databases and accessed customer information.
According to a press release the Hong Kong-based company issued on Friday, the database contains users names, email addresses, encrypted passwords, IP addresses, mailing addresses, and download history. The database also includes customers’ password retrieval information, including “secret questions” and responses.
On Monday the company provided more information about the breach and confirmed the database that was accessed also includes children’s names, genders, and birth dates. VTech did not clarify what percentage of the information that was leaked pertained to children.
In a FAQ the company claims that information from users based in the United States, Canada, United Kingdom, Republic of Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, Australia and New Zealand may be affected.
According to Vice’s Motherboard, the attacker got more personally identifiable information than just names and addresses.
The hacker was also able to download more than 190 gigabytes of photos, including tens of thousands of headshots of parents and children. In addition to photos the attacker also was able to find audio recordings of children and chat logs that were being stored in a database associated with Kid Connect, a service the company runs that allows parents to communicate with children.
VTech has yet to release a statement about the leaked photos, audio recordings, or chat logs.
Ironically the news falls on a day when thousands of parents will likely purchase a VTech toy for their children for Christmas as part of “Cyber Monday,” a day trumpeted by online retailers worldwide that serves as the kick off for the online Christmas shopping season.
It’s unclear exactly how an attacker was able to penetrate the database, but according to VTech, the company claims it noticed on Nov. 14 “irregular activity” on a site it runs, Learning Lodge, that corresponds to the database. VTech claims it was notified of the issue by a Canadian journalist a week ago, on Nov. 23.
VTech has temporarily suspended the site and a dozen similar sites while it sorts out the breach.
Prior to the site’s shuttering, parents could log into the company’s Learning Lodge and download games, apps, and music for tablets and other devices. Parents could also track their child’s progress on games and other educational apps.
For what it’s worth, the company insists the databases did not contain any user credit card information, and that any purchases customers made through the site were done via a third party payment gateway. Regardless VTech claims its reached out to every account holder in its database, via email, to alert them of the breach while it continues its investigation.