Toymaker VTech hit by cyber attack

Company says cyber attack on digital toymaker VTech Holdings Ltd is largest, exposing data of nearly 6.4 million children

Photo by: Reuters
Photo by: Reuters

VTech's products are seen on display at a toy store in Hong Kong, China November 30, 2015.

A cyber attack on digital toymaker VTech Holdings Ltd exposed the data of 6.4 million children, the company said on Tuesday, in what experts called the largest known hack targeting youngsters.

The Hong Kong-based firm said the attack on databases for its Learning Lodge App Store and Kid Connect messaging system affected even more kids than the 4.9 million adults that the company disclosed on Friday.

Security experts said they expected the size of the breach would prompt governments to scrutinise VTech and other toymakers to review their security.

"This breach is a parent's nightmare of epic proportions," said Seth Chromick, a threat analyst with network security firm vArmour. "A different approach to security for all organisations is needed."

Chris Wysopal, co-founder of cyber security firm Veracode, said it could be a wake up call for families in the same way that the hack on infidelity website Ashley Madison earlier this year made adults realise online data might not be safe.

VTech said in a statement on its website that the children's profiles included only name, gender and birth date. Stolen data on their parents included name, mailing address, email address, secret question and answer for password retrieval, IP address, mailing address, download history and encrypted password. 

The United States had the most VTech customers whose data was accessed, followed by France, the United Kingdom, Germany, Canada, Spain, Belgium and the Netherlands.

At least two U.S. states have begun investigations into the attack, along with regulators in Hong Kong.

"This case will lead many toy companies to rethink their security protections for children's data," said Shai Samet, founder of Samet Privacy, which audits toymakers for compliance with the U.S. government's Children's Online Privacy Protection Act.

Technology news site Motherboard, which broke news of the breach last week, reported that the person who claimed responsibility for the hack said "nothing" would be done with the stolen information. (

Security experts were skeptical, noting that the stolen data could be worth millions of dollars.

"I wouldn't trust him," said Troy Hunt, a security expert who reviewed samples of stolen data and information about the attack for Motherboard.

"I don't believe the word of anyone who compromises a network," said Justin Harvey, chief security officer with Fidelis Cybersecurity.