The hacker, who has been in contact with Motherboard, claimed that VTech left a lot of sensitive data exposed on its servers, including kids’ profile photos and chat logs between children and parents.
VTech confirmed the data breach of its Learning Lodge online portal Friday.
The Learning Lodge app allows customers to download apps, learning games and e-books to VTech products. Previously, the company had noted that about 5 million customer accounts and related kids profiles worldwide were affected.
Vtech has also suspended 13 websites following the hacking of its Learning Lodge app database.
After working closely with Motherboard, Australian security specialist Troy Hunt wrote a blog post on Saturday, explaining that Vtech had very poor security protocols in place.
VTech said the breached database included names, email addresses, passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses, download histories and children’s names, genders and birth dates.
As more devices are connected to the Internet and as companies increasingly collect personal information about their customers, such attacks are expected to increase.
Motherboard reports that the hacker who found the vulnerability in VTech’s servers also found a vulnerability in the way the company secures information shared on its Kid Connect platform, which is a service that lets parent use a smartphone app to exchange messages, pictures, and stickers with their child, who uses a VTech tablet.
VTech said that no credit card information was compromised, and that the database doesn’t contain social security numbers or drivers licenses.
“This in turn reduces the damage that hackers can cause, as encryption renders stolen data illegible and virtually useless to them. We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future”, the company added in a statement.
When Motherboard reached out to VTech for comment, the company’s spokesperson responded, “We were not aware of this unauthorized access until you alerted us”.