Over 200,000 Children's Identities, Photos From Toy-Maker Stolen in Hack

VTech's products are seen on display at a toy store in Hong Kong. VTech closed its Learning Lodge app store after customer data was stolen in a cyberattack, sparking concern over the loss of information relating to children. REUTERS/Tyrone Siu

Electronic toy-maker VTech is under heavy criticism for its woefully weak security system after details of its 5 million users—227,000 of whom were children—were stolen in a hack last week.

The leak contained the identities and addresses of the families affected by the hack, according to Vice Motherboard, which broke the story. In response, VTech closed its app store and 13 of its associated websites to prevent further hacks.

The Hong Kong–based company sells rudimentary tablets such as the InnoTab, and learning toys for toddlers. Through the Learning Lodge website installed on InnoTab tablets, parents could download apps, music, books and games for children after registering an account for each member of the family.

The online footprints left on Learning Lodge were hardly protected, if at all. All data transmitted within VTech was done over unencrypted connections without the industry-standard Secure Sockets Layer (SSL) encryption technology. VTech stored all children's passwords on plain text and adults' passwords on an extremely outdated encryption system that was so weak that "they may as well have not even bothered," according to cybersecurity expert Troy Hunt.

On Monday, Motherboard followed up with a far more ghastly allegation: that VTech was allegedly storing photos, chat logs and audio recordings between the parents and children without the two parties knowing. Motherboard reported that hackers also accessed data from a company service called Kid Connect, which allowed parents using a smartphone app to speak to their children on their VTech tablet.

Motherboard received no comment from VTech on why the company has been storing this information in the first place. Newsweek also requested comment from VTech and will update the story when we hear back.

In a company blog post published on Monday, VTech noted that the compromised data did not include credit card information and any personal identification data, like driver's license numbers. Customer inquiry lines via email have been set up in 10 countries to help the victims.

The anonymous hacker told Motherboard he doesn't plan to sell or distribute the 5 million users' data on the Internet.