VTech hack: What you need to know

This week,VTech,a Hong-Kong-based company that makes electronic learning products for kids,confirmed a massive data breach.

More than five million users' personal information was stolen, including that of Canadian parents and kids.

• Data breach at toymaker VTech could affect 5 million customers

CBC Radio technologycolumnist DanMisenerexplains what we can learn from this incident.

How did theVTechprivacy breach happen?

VTech is the world's largest maker of cordless phones. But in addition to that, the companymakes electronic toysandtablet computersfor kids.Like manytablet makers, they have an online app store.

The VTech app store,which is called "Learning Lodge,"lets parents and kids download apps, games, and other content onto VTech devices.

But in order to use VTech's app store, users need to createan account and that'swhere the data breach occurred.

VTech confirmed that a few weeks ago thatan "unauthorized party" accessed their database of user accounts. This week, they confirmed thatthe breachinvolved more than five million accounts, belonging to parents and kids, includinginformation from Canadian customers.

The hackerclaiming to beresponsible also claims to have obtained photos from users,as well as chat logs, butVTechhasn't confirmed that.

What information was breached?

The good news is that according to VTech's press release,their database doesn't contain credit card information. So that means credit card details would not be included in the hacked information.

But for customer accountsthe kind of account a parent would set upthe database includes a lot of information, including names, email addresses, passwords, password reset questions and answers, IP addresses, mailing addresses, and the download history for an account.

The data breach also included kids' profiles on the store, which would includekids' names, genders, and birthdates.

How is this breach different than others?

AvnerLevin, director of the Privacy andCybercrimeInstitute atRyersonUniversity,says this breach is differentbecause it involves kids' information and it raises some questions about parents' responsibility.

Hepointed out that kids' information is only in the database because parents put it there.

"You really have to watch out and not sort of jump into all of these neat little ideas, ofcreating like neat little kiddie accounts.Stop and think is that what you want to do?" he said.

"You're creating these digital footprints for your kids that are going to go and accompany them throughout life. So these are really questions that I think people have to stop and think about."

Levin said while he thinks the wayVTech stored their data is problematic, it's also not agood idea to give VTech kids' information in the first place.

How likely is it we'll see more of these kinds of data breaches?

It seems quite likely, unfortunately.

Part of the VTech story is just how vulnerable their database was in the first place. In a post on his website, Troy Hunt,the security researcher who helped verify the VTech breach,saidthe company had some alarming security practices. He arguedVTech did a poor job securing kids'data.

There's alsoa larger trend heremore and more objects in our homes becomingconnected through the so-called "Internet of Things."

• Spark: The internet of insecure things

There are lots of companies that are great at making toys, or kitchen appliances, or televisions. But that doesn't necessarily mean they're also great at keeping personal data safe and secure.

What can parents do to help maintain kids' privacy?

Avner Levin, who is botha parentand a security researcher,saysif your child is going to have an online account or profile, a little obfuscation is in order.

"Change the age, change the gender, change the name, change whatever you can so that you don't actually have a record of your child online with their real informationthat can then be stolen andused," he said.

VTech also says its reached out to every account holder via email, to let them know about the data breach.

They've also set up an email address Canadian customers can contact if they're worried about the breach. It'stoys@vtechcanada.com.