The Hong Kong-based toymaker/crapgadget purveyor didn't even know it had been breached until journalists from Vice asked why data from its millions of customers and their families were in the hands of a hacker, and then the company tried to downplay the breach and delayed telling its customers about it.
As more people dig into the dump of all its customer data, the story just keeps on getting worse. Now we know that at least 6.3 million children's data were exposed. Included in the dump are transcripts of chats between children and between children in their parents. The breach may also include photos that children took of themselves and their families with Vtech products. Again, Vtech is downplaying this, saying that the photos were "encrypted" — but Vtech's encryption was incompetently implemented and applied, and if the photos leaked, it would likely be easy to decrypt them.
VTech also wrote that its "security protocols" only require undelivered messages to be stored on their servers, and only for 30 days. Yet, the hacker claims to have gotten his hands on a year's worth of chat logs, from the end of 2014, until November of this year. Motherboard has received a purported sample of the chat logs, containing messages going back to December 2014.
"mom with this I can make a letter," reads a message sent on Christmas Day, 2014.
The hacker who broke into VTech's systems told Motherboard that he never intended to release the data to the public.
"Frankly, it makes me sick that I was able to get all this stuff," the hacker told me in an encrypted chat on Monday.
Hacked Toymaker VTech Admits Breach Actually Hit 6.3 Million Children