VTech hack affects 6.4M children's accounts, 4.9M adults'

A cyber attack on digital toymaker VTechHoldings Ltd exposed the data of 6.4 million children,the company said on Tuesday, in what experts called the largestknown hack targeting youngsters.

The Hong Kong-based firm said the attack on databases forits Learning Lodge app store and Kid Connect messaging systemaffected even more kids than the 4.9 million adults that thecompany disclosed on Friday.

Among Canadians,316,482 children's accounts and237,949 adults' accounts were affected.

• Vtech hack: How to protect your kids' privacy

Security experts said they expected the size of the breachwould prompt governments to scrutinize VTech and other toymakersto review their security.

"The disclosure of the scope of the breach is troubling,"said Jaclyn Falkowski, a spokeswoman for Connecticut's attorneygeneral.

Connecticut and Illinois said on Monday they plan toinvestigate the breach. Regulators in Hong Kong are also looking into the matter.

"This breach is a parent's nightmare of epic proportions,"said Seth Chromick, a threat analyst with network security firmvArmour. "A different approach to security for all organizationsis needed."

Wake up call for families

Chris Wysopal, co-founder of cyber security firm Veracode,said it could be a wake up call for families in the same waythat the hack on infidelity website Ashley Madison earlier thisyear made adults realize online data might not be safe.

VTech said in a statement that children's profiles includedname, gender and birth date. Stolen adult data included name,mailing address, email address, password retrieval questions, IPaddress and passwords.

The most VTech customers affected were in the United States,followed by France, the United Kingdom, Germany, Canada, Spain,Belgium and the Netherlands.

Shai Samet, a security expert who audits toymakers forcompliance with the U.S. government's Children's Online PrivacyProtection Act, said he believed the case would lead many toycompanies to "rethink" security protections on children's data.

Technology news site Motherboard, which broke news of thebreach last week, reported that the person who claimedresponsibility for the hack said "nothing" would be done withthe stolen information.

Security experts were skeptical, noting that the stolen datacould be worth millions of dollars.

"I wouldn't trust him," said Troy Hunt, a security expertwho reviewed samples of stolen data and information about theattack for Motherboard.

Justin Harvey, chief security officer with FidelisCybersecurity, said stolen records sell for $1 to $4 in
underground markets.