Vtech breach dumps 4.8m families' information, toy security is to blame

[Read the post]

I understand the US has quite strict laws governing the personal information of minors, but I don’t know the details. Is it possible for somebody, maybe the DOJ, to make life uncomfortable for a HK corporation?

1 Like

Bad as this is, I have to wonder: what kind of parent puts personally identifiable information about themselves and/or their family online? Seriously, use a burner email address and a bogus physical address and phone number.

1 Like

Honestly? Normal ones with a small amount of trust


Even small amount can be too much.
Don’t trust the corporations.
Don’t trust the Cloud.

you missed the most important part of the sentence though:

Normal ones

1 Like

I did not. The “normal ones” are the ones with overly high trust in inherently untrustable institutions.


But if the majority have that amount of trust, is that not the normal amount of trust?

1 Like

“Normal” can easily be “overly high” at the same time.

That the majority does something does not mean it is a good idea.
“Eat shit - billions of flies cannot be wrong.”


I gave them some of that info, but I’m an optimist who is consistently surprised and appalled when I see credentials and other secrets persisted into source control.

Unsalted hashes, though? I hope they got a steep discount.

Everything else was plaintext though… It’s not that expensive to encrypt everything at rest…


See? Proof that absolutely nothing can go wrong with corporations storing personal information.


This sort of thing certainly smells like a potential violation of the “Children’s Online Privacy Protection Act of 1998”, the world’s #1 reason for lying about being under 13 while on the internet; but I’m not sufficiently familiar with the exact procedural requirements of the law(various stuff about what can and can’t be collected with and without parental consent, requirements for having a privacy policy) and my desire to grovel through vtech’s ghastly flash interfaces to see whether they comply is…limited.

I would suspect that, with a hack this dramatic, any failures to adhere to procedural requirements(both in the US and in the EU states where they appear to have sold a substantial percentage of the devices) will be followed up on more carefully and harshly than usual; but I’m not sure that (at least in the US) there is any law that actually says “Don’t make catastrophically dumb security mistakes, idiot”; just ones that have lots of checkbox requirements that can be fulfilled in various ways, some actually helpful, some cargo-cult. Unless they followed those to the letter, though, it is likely that they’ll get the smackdown for this data breach under the guise of punishment for those violations.

As for being in HK, probably won’t help them much. Even if they are 100% safe there, their business involves selling stuff abroad; and that requires either cooperating with the authorities in the export markets, or leaving those markets. Given that vtech’s stuff is mostly awful crap, and not terribly unusual or interesting awful crap, it’s not like black-market toy smugglers are going to stick their necks out to keep the product moving.

What? I’ve never pretended to be under 13, I swear! I just act that way.


The flavor who pretend to be 13 or older are mostly fine; but, since COPPA, I’m fairly sure that the only people who will actually claim to be under 13 on the internet are cops or filming To Catch A Predator episodes.

I don’t think that anyone suspects COPPA of being particularly effective; but it creates a strong incentive to pretend that you don’t cater to children and a correspondingly strong incentive to pretend that you are not a child.

It’s not that expensive to encrypt everything at rest…

And yet not even OPM could be bothered.


As someone under a new mandate that data needs to be encrypted inflight and at rest, I can attest to it being annoying.

You can encrypt it at rest - but you can only make use of it if your tools for manipulating the information have the ability to decrypt it at will. The data may well have been encrypted on disk, but extracted through a program that had the encryption keys loaded into memory because how else are you supposed to actually handle the information that you presumably gathered in order to handle it in some way…

1 Like

I know, which is why it’s annoying.

However, since they hashed the passwords but didn’t bother to salt, then they probably just didn’t even care.

I don’t doubt that if they have some bare metal servers somewhere, we’ll find other problems with their datacenter setup.

1 Like

Another link: http://edtechinfosec.org/2015/11/30/vtech-vs-edtech/

This problem isn’t entirely unique to vtech.


This topic was automatically closed after 5 days. New replies are no longer allowed.