A breach of almost 4,854,209 parents and 6,368,509 kids' online accounts with digital toy maker VTech — which affects 18,151 Australian parents and 23,096 children — just got much worse.
The hacker has released to a news organisation select photos, audio recordings and text chats, created by the kids using high-tech internet-connected toys, that were meant only for the children and their parents.
VTech breach: what it means for families
Fairfax technology editor Ben Grubb explains how the breach of millions of online accounts with digital toy maker VTech underlines the importance of online security.
It comes as US states said they would investigate the massive breach at the toy maker and as security experts warned that hackers were likely to target similar companies that handle customer data.
The Hong Kong-based toy maker disclosed the attack on Saturday, saying information about nearly five million adults and children had been stolen in an attack on a portal used to download games to its computer tablets.
Technology news site Motherboard reported on Saturday that the data belonged to some 4.8 million adults and more than 200,000 children. VTech did not break out the number of children affected, but confirmed five million accounts were affected.
Motherboard further reported on Tuesday that the hackers also stole photos and chat logs from VTech's Kid Connect service, which allows adults to use their smartphones to chat with kids using the VTech tablet. It also published what appeared to be an audio recording a child made using one of the company's toys. On Wednesday VTech clarified that 4,854,209 adult accounts and 6,368,509 related kid profiles worldwide were affected.
Were you affected? Email us
VTech said the breached database included names, email addresses, passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses, download histories and children's names, genders and birth dates. The database did not include credit card information, ID card numbers, Social Security numbers or drivers licence numbers, it said.
VTech could not be reached for comment on the US state probes or the Motherboard reports.
Australian computer security researcher Troy Hunt, who collaborated on the reporting of the hack with Motherboard, told Fairfax Media that VTech made "so many stupid mistakes" in securing their customers' information and were "massively negligent".
"Just browsing around their website and looking at the pattern of the web requests" he was able identify numerous security issues, he told Fairfax.
Motherboard said it spoke to a hacker who claimed to be behind the attack. The man reportedly said he planned to do "nothing" with the data.
Mr Hunt told Fairfax he did not believe this. "How much do you trust someone like that?" he asked.
Mr Hunt also said it was unclear whether another hacker with malicious intent may have found the same flaws and had access to the data.
To stop such breaches in the future, Mr Hunt said that there had to be punishment for companies that didn't secure information correctly, but few countries currently have laws to facilitate this.
Bad publicity alone was not enough to prevent future breaches, he said.
While Australia can fine companies for breaches, there is no requirement on a company to disclose a breach in the first place. Such disclosure laws were meant to be introduced into the federal parliament by the end of this year, but there are only a few parliamentary sitting days left and it seems unlikely they will get through.
Meanwhile, some experts said that they expected to see more breaches involving information collected through digital toys and other web-connected devices, a category of products known in tech circles as the internet of things, or IoT.
They said that manufacturers in many industries lack the security experience and expertise that the computer industry has developed over the surge in internet use over the past two decades.
"You have all these devices and services that are connecting to the internet by companies that don't have the experience that older software companies do in securing their data," said Katie Moussouris, chief policy officer with HackerOne, a "bug bounty" firm that helps businesses work with researchers to find cyber bugs.
"VTech is a toymaker and I don't expect them to be security superstars. They are amateurs in the field of security," said Tod Beardsley, security research manager with Rapid7.
Toy manufacturers lack rigor in secure software development, said Chris Eng, vice president of research at security software maker Veracode. They are "inevitably going to fall short on security," he said.
Larry Salibra, chief executive of bug-testing platform provider Pay4Bugs, said that it looks like VTech failed to properly secure sensitive data by encrypting it to be difficult to unscramble and useless if stolen.
with Reuters reporters Jim Finkle, Clare Baldwin and Donny Kwok