Toy maker VTech says breach hit 6.4 million kids' accounts

Most affected accounts were in the U.S.

Educational toy maker VTech has said 11.6 million accounts were compromised in a cyberattack last month, including those of 6.4 million children.

The total number of accounts affected is nearly double that reported last week by the security news site Motherboard, which interviewed a hacker who claimed credit for the breach.

Most of the account holders were in the U.S., including 2.2 million parents and 2.8 million children, VTech said Wednesday in Hong Kong, where the company is based. France, the U.K., Germany and Canada round out the top five countries hit, VTech said in an updated FAQ.

Data breaches have been become a top worry as cybercriminals and hackers probe online systems for weaknesses, resulting in massive breaches of payment card systems, health care data and U.S. government personnel records.

VTech's breach stands out because it affected millions of children. The profile data leaked included their names, genders and birth dates.

Reuters reported that the attorney generals of Illinois and Connecticut planned to investigate the breach, which occurred Nov. 14. And Hong Kong's privacy commissioner for personal data said he would check whether VTech was following data privacy principles.

VTech's toys include color touchscreen tablets for kids similar to Apple's iPad. The InnoTab 3 has a camera, and can record video and audio and download apps.

Motherboard also reported that photos of children and parents had been exposed, as well as chat logs. VTech said it couldn't confirm that images were leaked, but Motherboard published partially obscured images that it said it obtained from the hacker.

VTech said images on its servers are encrypted using the 128-bit Advanced Encryption Standard algorithm.

Chat logs from a VTech messaging service called Kid Connect are also believed to have been exposed, as well as some audio files. VTech said the chat logs were not encrypted, but that the audio files were encrypted using AES 128.

AES is considered a secure cryptographic algorithm and is widely used by the U.S. government. It's unclear how Motherboard or the hacker would have been able to decrypt the images, since brute-force attacks are nearly impossible.

The security of the encrypted files and images, however, depends on how well VTech protected the private decryption keys, and the release of images raises the question of whether the hacker obtained those as well.

The breach affected the customer database for Learning Lodge, an app store for VTech's devices, as well as the Kid Connect servers. VTech has suspended both services and 13 websites.

The company plans to hired a security consultancy firm to conduct a forensic investigation and "help us to design a new more secure approach to our data security," it said.

Of the 11.6 million accounts affected, 4.8 million belong to parents. The parent data included names, email addresses, weakly hashed passwords, secret questions for password retrieval, IP addresses, mailing addresses and download history. No payment information was compromised.

The leaked data doesn't appear to have been used for criminal purposes yet, VTech said. Since the breach was of its servers, VTech said there doesn't appear to be a risk of children being tracked while using its devices.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?