The personal data of hundreds of thousands of children has been compromised following a hack on toy maker VTech.
The Hong Kong-based children’s electronics manufacturer confirmed that an “unauthorized party” accessed data housed on its Learning Lodge app store earlier this month affecting “about 5 million customer accounts and related kids profiles worldwide”. The Motherboard website, which says it received the data dump from the hacker and had security expert Troy Hunt review it, says information from over 200,000 children was included in the breach. The company announced the hack on Black Friday – a day when consumers are traditionally more focused on buying products, rather than worrying about their security.
The hacked data includes names, email addresses, passwords, and home addresses of parents – along with the first names, genders and birthdays of affected children. Hunt notes the data points can be linked to pinpoint children’s addresses, potentially putting them at risk. In a blog post, he wrote:
“When it’s hundreds of thousands of children including their names, genders and birthdates, that’s off the charts. When it includes their parents as well – along with their home address – and you can link the two and emphatically say “Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question)”, I start to run out of superlatives to even describe how bad that is.”
UPDATE (November 30, 3:30 pm): Beyond the demographic and personal information that was taken from VTech’s servers, the hacker also tells Motherboard he has obtained thousands of children’s and family’s images taken with the cameras on the company’s tablets and other products – as well as chatlogs and audio recordings of children. These, too, can be linked to specific usernames, which can sometimes be tied to home addresses.
VTech is referring all questions about the security breach to a public relations firm. Officials at that firm did not immediately reply to Fortune‘s inquiries, seeking confirmation of the breach of photos and more. Nor did they explain why VTech was keeping such data on its servers, rather than the products’ internal memory. (Fortune will update this story when and if we hear back.)
The Learning Lodge app store lets customers download apps, learning games, e-books and more. VTech says it has temporarily shut down the service along with 13 of its Websites to assess and reinforce their security.
VTech also noted that its database does not contain personal information such as Social Security numbers or credit card information.
The breach affected users in the US, Canada, UK, Ireland, France, Germany, Spain, Belgium, Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, New Zealand and Australia. The company says it has reached out to every account holder in its database (via email) to alert them to the breach.
“We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future,” VTech said in a statement.
Security experts say this is one of the largest breaches of children’s data on record – and note that there’s an increasing demand for that data on the black market.
“In the hacker community, children’s data is so much more valuable than adult data when you’re trying to create new identities,” says Hemu Nigam, founder of SSP Blue, an Internet security consultant business and former VP of internet enforcement at the MPAA. “Because there’s no existing record, a hacker can create a credit card application using legitimate information and the child and parent won’t know it happened until the child becomes of adult age – and by that time, they have an awful credit score and don’t know what’s going on.”
The hack comes as the issue of children’s privacy is in focus this holiday season. Activists have sounded the warning on Mattel’s high-tech Hello Barbie doll, which records a message from kids which is then analyzed by a Mattel partner before an audio response is returned over the Internet.
“Everything that’s electronic, parents should treat as accessible to a hacker,” says Nigam. “If [you were affected by the VTech hack and] you have children who don’t have credit, I would contact the credit companies and ask ‘is there something in my child’s name’ just in case – and make that a practice every six months to year.”