Last Friday was indeed a Black Friday for some, as five million people found they were affected by an attack on popular toy company Vtech. The hack left the data of both parents and children exposed, which security experts say has happened because of poor security practices and insufficient encryption.
On Friday it was announced that Vtech’s Learning Lodge app database had been hacked, affecting users from around the world. The company say that no card details were taken and that any stolen info was encrypted, but security analysts have said that the passwords weren’t encrypted.
The breach exposed a load of user info, including private profile info, names, addresses, secret questions and answers, download history, IP addresses and email addresses; so more than enough information to build up a picture of a user.
Security analyst Tony Hunt looked at a sample of the data that had been dumped online and confirmed the breach, saying that there was also information about the children, including names, genders, birth dates and addresses.
He said: “Once the passwords hit the database … they’re protected with nothing more than a straight MD5 hash, which is so close to useless for anything but very strong passwords (which people rarely create), they may as well have not even bothered. The kids’ passwords are just plain text.
“The vast majority of these passwords would be cracked in next to no time; it’s about the next worst thing you can do next to no cryptographic protection at all.”
There’ve been suggestions that there are too many children’s toys connected to the Internet of Things without the proper security input, and this is a warning that can be applied across the board. Hunt said: “Despite the frequency of these incidents, companies are just not getting the message; taking security seriously is something you need to do before a data breach, not something you say afterwards to placate people.”
The company was told about the breach by a journalist, which also highlights the importance of monitoring your own systems for breaches, and things like regular pen tests and vulnerability scans.
Professor Alan Woodward, cyber security expert at Uni of Surrey, backed up the idea that companies need to be more proactive when it comes to their security, saying: “These breaches are endemic and we have to stop. If that means focusing the minds of these companies through big fines then so be it. It needs to be taken seriously and those responsible held to account.”
Take a look at UKFast’s security solution web page for more information on pen testing, vulnerability scans, and other ways of protecting yourself.