Hackers gained access to the private information of about 5 million adults and children who used VTech toys, and some security experts warn that similar data breaches could follow.
The Hong Kong-based digital toy manufacturer announced the massive data breach in a news release on Friday, saying a hacker compromised the company’s Learning Lodge earlier this month. The Learning Lodge is a portal that customers use to download content to VTech toys.
The hackers gained access to VTech’s customer database, which the company said includes information like email addresses and passwords but not social security or credit card numbers.
PC Magazine reported the hack was the fourth largest breach of consumer data on record.
The online technology magazine Motherboard reported on Monday that it spoke to the hacker behind the breach. The hacker claimed he also accessed photographs of children and transcripts of conversations between parents and their kids, some of which dated back to last November.
That data was reportedly sent through VTech’s Kid Connect service, a channel through which adults with smartphones and children with VTech tablets can exchange text and audio messages.
The hacker told Motherboard he didn’t intend to publish or release any of the data he obtained.
VTech said it investigated the breach and implemented steps to combat further attacks. Attorney generals from Connecticut and Illinois said they will also investigate, Reuters reported Monday.
The Reuters report quoted cyber security experts who cautioned that additional breaches like this one are possible. While many digital toys collect data, the experts told Reuters that toy makers don’t necessarily have the same security background as others in the tech industry.
“VTech is a toymaker and I don’t expect them to be security superstars,” Tod Beardsley, the security research manager at the cyber security company Rapid7 Inc., told Reuters. “They are amateurs in the field of security.”
Hong Kong’s Office of the Privacy Commissioner for Personal Data began a “compliance check” on VTech on Tuesday, according to a news release. The inquiry will examine if VTech did enough to safeguard the data before it was breached, as well as the corrective measures it implemented.