Fallout from the massive hack against electronic toy and education company VTech continues to get worse.
On Wednesday, the company confirmed more than 10 million customer accounts – including 6.3 million children’s user profiles – were affected by the data breach. In Canada, over 237,000 adult profiles and over 316,000 kids profiles were affected.
Previously, VTech said the breach only affected about five million accounts.
The hack was first reported by Motherboard, which was notified by the hacker claiming responsibility for the breach. In fact, Motherboard alerted VTech to the breach when it reached out to the company for comment on its article.
The company confirmed the hack on Monday, admitting data from both parents and children has been exposed after its Learning Lodge app database was hacked.
The Learning Lodge app – which allows customers to download apps, games and educational content to VTech products – contained customer names, email addresses, passwords, IP addresses, mailing addresses and download histories. The database also contained kids’ profile information, including names, genders and dates of birth.
In a statement released Wednesday, the company admitted its databases lacked proper security – something security experts have been criticizing since news of the hack broke.
“Regretfully our Learning Lodge, Kid Connect and PlanetVTech databases were not as secure as they should have been,” read a statement on VTech’s website.
“Upon discovering the breach, we immediately conducted a comprehensive check of the affected site and have taken thorough actions against future attacks.”
Motherboard has since alleged the hacker also obtained children’s head shots attached to gaming profiles, as well as chat logs between kids and parents.
The article noted, “in most, if not all, of these cases, the logs, pictures, and recordings can be traced back to specific usernames, allowing anyone in possession of the hacked data to identify the people chatting as well as those in the pictures.”
VTech has yet to confirm these allegations, noting that its investigation is ongoing; however, the company did admit that while audio files and photos are encrypted on its system, chat logs are not.
Considering the company compares it’s Kid Connect chat app to popular messaging service WhatsApp, the fact that chat logs are unencrypted have prompted even more outrage from the security community.
However, VTech did note that messages stored within its servers expire after 30 days.
VTech being investigated by U.S., Hong Kong following hack
Investigations into massive data breach have already begun. According to Reuters, attorneys generals in Connecticut and Illinois have said they will investigate the breach; however, the scope of their investigation has not been determined.
Hong Kong’s privacy commissioner Stephen Wong said his office had initiated a “compliance check” to see if VTech, based in Hong Kong, had followed data privacy rules.
According to “Have I been Pwned,” a website dedicated to detailing the Internet’s worst data breaches, the VTech hack is the fourth largest consumer data breach to date. To compare, the Ashley Madison data breach comes in second.