Electronic toy and education company VTech has revealed that the personal data of about five million parents and children has been exposed after its Learning Lodge app database was hacked.
According to a statement released by the company Monday, the Learning Lodge app – which allows customers to download apps, games and educational content to VTech products – contained customer names, email addresses, passwords, IP addresses, mailing addresses and download histories.
The database also contained kids’ profile information, including names, genders and dates of birth.
“VTech Holdings Limited noted that an unauthorized party accessed VTech customer data housed on our Learning Lodge app store database on 14 November 2015,” read the statement.
“Upon discovering the unauthorized access on 24 November 2015, we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks.”
The company noted that the database does not contain any credit card information.
Customers in Canada, the U.S., the UK, Australia, Hong Kong and many European countries are affected.
According to “Have I been Pwned,” a website dedicated to detailing the Internet’s worst data breaches, the VTech hack is the fourth largest consumer data breach to date. To compare, the Ashley Madison data breach comes in second.
The hack was first reported by Motherboard, which was notified by the hacker claiming responsibility for the breach. In fact, Motherboard alerted VTech to the breach when it reached out to the company for comment on its article.
According to the article, the hacker doesn’t plan to do anything with the information they obtained. However, the hacker – who requested to remain anonymous – noted that it wasn’t difficult to break into VTech’s servers.
“It was pretty easy to dump, so someone with darker motives could easily get it,” the hacker reportedly told Motherboard.
In a blog post, Troy Hunt – who operates the “Have I been Pwned” website – said VTech showed a “total lack of care” when it came to securing user data on its website.
“When it comes to our identities being leaked all over the place, it’s just another day on the web. Unless it’s our children’s identities, that’s a whole new level,” wrote Hunt, who analyzed the data from the hack for Motherboard.
“When it’s hundreds of thousands of children including their names, genders and birthdates, that’s off the charts. When it includes their parents as well – along with their home address – and you can link the two and emphatically say ‘Here is nine-year-old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question),’ I start to run out of superlatives to even describe how bad that is.”
According to VTech’s statement, affected account holders have been contacted by email to alert them of the data breach.
As with any hack that involves the leak of passwords, it’s important that any Learning Lodge app user change their passwords on other websites if they used the same password.
Tips for creating secure passwords
If any of your passwords made this list, you might want to consider some of the following advice.
Stay away from easy-to-guess passwords like “123456″ or “password” and easy-to-guess identifiers, like your dog’s name.
Numbers included in a password should never be something easy to guess based on the user. That means your age, the current year, or your address are not good choices. Similarly, the longer the password the better.
Passwords that use up to ten upper- and lower-case letters mixed with numbers are proven to be more secure – despite being hard to remember.
One tip is to construct a password from a sentence, mix in a few upper case letters and a number – for example, “There is no place like home,” would become “tiNOplh62.”
And remember, try not to use the same password for any two accounts.