Anyone following the news this week likely learned of the massive breach exposing the personal data of millions of parents and their children. VTech, a Hong Kong-based toy maker was hacked, exposing everything from children’s names and home addresses, to pictures (reportedly, 190GB worth of photos) and chat logs was compromised.

This is yet another reminder that worrying about assaults on bank accounts is not all we have to worry about when it comes to breaches. The Ashley Madison and OPM breach are also two such examples, but what makes this breach scary is that this is about children, most of whom are still in their early years.

While the toy manufacturer reels from the massive PR blow as a consequence of this breach, many started to wonder—Who is behind the attack, and more importantly, why do it?

In early November 2015, the attacker approached Lorenzo Franceschi-Bicchierai, a journalist at Motherboard, sharing with him a portion of the stolen data from VTech’s servers, claiming that the company was guilty of “shitty security.”

Lorenzo, in turn shared that data with Troy Hunt, the person behind the widely used, free Have I Been Pwned service, for him to analyze and help victims figure out if they were part of the breach. Troy has released a detailed account of how events unfolded on his blog.

It later transpired that the attacker leveraged one of the oldest, yet most prevalent and dangerous vulnerabilities in the book to pull off the heist—SQL injection.

From there the attacker managed to escalate privileges to the ‘root’ user on the system, which allowed the attacker to pivot to other VTech servers and collect millions of records of parents and their children.

To make matters even worse, VTech was not only using an MD5 hash to store users’ passwords, but these passwords were also unsalted. We’ve already covered the topic of password hashing right after the Ashley Madison breach, but in summary, unhashed MD5 passwords (especially unsalted) is almost as bad as storing passwords in plaintext (passwords for children’s accounts were actually stored as plaintext).

If poor password hashing was not enough, VTech also did not encrypt sensitive information such as addresses, birth dates and other personal information, nor was the site making use of TLS/SSL. The lack of TLS/SSL, means users’ credentials were sent in clear text—not something that is ‘OK’ in anyone’s book in this day and age!

After VTech was notified of the breach, Motherboard released the story, which quickly spread and also captured the attention of the mainstream media. The company later released a public announcement on its website, apologizing for the incident.

What is particularly interesting about this data breach is that the attacker, although still anonymous, seems to have hacked VTech, simply to raise awareness about the issue and selling or dumping the data online was never an option that was considered as the following statements by the attacker to Motherboard attests.

When I got the [database] dumps, I realized how serious it was… Profiting from [database] dumps is not something I do. Especially not if children are
involved!… I just want issues made aware of and fixed.

VTech has since taken several of its services offline in light of the breach, however that does nothing to dampen the fact that personal information of millions of parents and their children were up for grabs by any attacker with some SQL injection savvy. The silver lining of this incident is that VTech’s attacker doesn’t seem to have malintent, but history teaches that that is the exception rather than the rule.

Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.