Lorenzo Franceschi-Bicchierai reports:
The personal information of almost 5 million parents and more than 200,000 kids was exposed earlier this month after a hacker broke into the servers of a Chinese company that sells kids toys and gadgets, Motherboard has learned.
The hacked data includes names, email addresses, passwords, and home addresses of 4,833,678 parents who have bought products sold by VTech, which has almost $2 billion in revenue. The dump also includes the first names, genders and birthdays of more than 200,000 kids.
What’s worse, it’s possible to link the children to their parents, exposing the kids’ full identities and where they live, according to an expert who reviewed the breach for Motherboard.
Read more on Motherboard.
VTECH’s statement says, in part:
VTech Holdings Limited today announced that an unauthorized party accessed VTech customer data housed on our Learning Lodge app store database on November 14, 2015 HKT. Learning Lodge allows our customers to download apps, learning games, e-books and other educational content to their VTech products.
[….]
Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.
For reasons that defy logic, Lorenzo used Have I Been Pwned to declare this the fourth largest consumer data breach to date. It’s not even close to that, and Troy Hunt’s site, while a valuable resource, is not a good resource for determining largest breaches. A breach affecting less than 6 million probably wouldn’t even make the top 20. Update: After I contacted him on Twitter, Lorenzo is fixing that part of his report.
Update 2: See Troy Hunt’s excellent piece on how he verified this breach and the concerns it raises on Ars Technica.