VTech: Playing Loose With Your Children’s Data

Gavin Phillips 15-02-2016

It’s been a tumultuous time for children’s electronic learning product suppliers, VTech. The Hong Kong-based company announced acquisition plans for direct-market competitor LeapFrog for $72 million, drastically expanding their market-share and positioning themselves as one of the foremost developers of and suppliers in children’s electronic learning products. Unfortunately, the week didn’t continue as planned.


VTech updated their terms and conditions following a large hack in 2015, blatantly shifting the onus of responsibility onto parents and carers without a second thought.

What have they changed? What have they secured? What should you be doing?

What Happened To VTech?

VTech were hacked last November VTech Gets Hacked, Apple Hates Headphone Jacks... [Tech News Digest] Hackers expose VTech users, Apple considers removing the headphone jack, Christmas lights can slow down your Wi-Fi, Snapchat gets into bed with (RED), and remembering The Star Wars Holiday Special. Read More , the attacker making off with the data from over 4 million adult accounts, and over 6 million child accounts. The hack exposed the personal data Five Ways To Ensure Your Personal Data Remains Secure Your data is you. Whether it is a collection of photographs you took, images you developed, reports you wrote, stories you thought up or music you collected or composed, it tells a story. Protect it. Read More of each compromised account including names, email addresses, passwords, secret questions and answers, IP addresses, mailing addresses, and download histories. As well as this, VTech’s app store database, Learning Lodge, was also compromised.

VTech Tote and Go Childrens Learning Device

From here, data including chat logs, personal audio files and photographs were compromised, many belonging directly to the children using the devices.



The hack was initially exposed by Lorenzo Bicchierai, writing for Vice magazine’s technology-focused Motherboard publication. After the initial article was published, Bicchierai was contacted by the individual claiming to have performed the hack, who provided sensitive photographs to the journalist for verification.

Bicchierai then invited information security specialist Troy Hunt to analyze the data provided to confirm if the leak was legitimate, rather than a hoax. On confirmation, Hunt further dissected the data and published details of the vulnerabilities affecting VTech. The vulnerabilities, as Hunt discovered, were atrocious.

Object reference flaws meant users could easily access the accounts of others by stepping through URLs, the entire host system was extremely sensitive to any form of SQL injection, and there was:

“No SSL anywhere… All communications are over unencrypted connections including when passwords, parent’s details and sensitive information about kids is transmitted.”

He also found passwords “encrypted” with a simple MD5 hash, with no salting, or even sight of an advanced hashing algorithm, meaning anyone with even slightly advanced computing skills would likely crack them in a short space of time.


Further to this, secret questions and answers were stored in plain text, with no additional security measures at all. Hunt also noted the poor quality of the security questions, such as “What is your favorite color?” or “Where were you born?” and other equally simple-to-discover information.

Child Users

Once a parent has created their adult account, child accounts can be created. Each child account is directly linked to the adult account, and they can add their own avatar, date of birth, and gender.

VTech Child Account Information Details CSVThe data is then stored in a self-referencing table using a “parent_id” to link both accounts together, like so:

VTech Adult and Child Account Linking Details


Meaning that with the additional data secured in the breach, each and every child could be simply matched to their parent, disclosing their addresses along with reams of other personal information.

Change The T&C

As we are so often confronted with lengthy user agreements, privacy statements, changes to the terms and conditions of websites, games, services, and more, we’ve all become a little blasé to the language used. I can absolutely not count the amount of T&C I’ve clicked through, and wonder if at some point I signed my soul over.

You would think the standard response to a major data breach Why Companies Keeping Breaches a Secret Could be a Good Thing With so much information online, we all worry about potential security breaches. But these breaches could be kept secret in the USA in order to protect you. It sounds crazy, so what's going on? Read More is a robust investigation into any and all security shortcomings, perhaps welcoming the work already completed by information security professionals that are attempting to safeguard sensitive data relating to children.

Not for VTech.


Instead, they updated their terms and conditions with distinctly unsavory terminology. In a section headlined Limitation of Liability, terms read:

“You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties”

I’m sorry. What? The user agrees not be angry or hold the company responsible if they get hacked again? In 2016, how any company promoting any form of networked device responsibly can shift the burden of responsibility onto their users in a scenario where they are actively seeking sensitive information is beyond me.


No way. Even before their terms and conditions-based shenanigans, the UK’s Information Commissioner’s Office was investigating the data breach Keep Up With The Latest Data Leaks - Follow These 5 Services & Feeds Read More , along with multiple US State jurisdictions. Similarly, in the immediate aftermath of the breach, Hong Kong Privacy Commissioner Stephen Wong confirmed his office had initiated a “compliance check” on VTech to assess if the company had adhered to basic security principles.

As I was writing this article, the UK Information Commissioners Office confirmed that the new terms and conditions would contravene current UK law, stating:

“The law is clear that it is organisations handling people’s personal data that are responsible for keeping that data secure”

What Should You Do?

Honestly, until VTech have been proven to have substantially overhauled their security operation, do not use their products, including their website. 


In future, before buying any networked children’s toy, it would be prudent to run a quick “[product name/company name]+security” search, or you could try “[product name/company name]+hack/data breach.” Any of those combinations will quickly illustrate the security well-being of the product you’re about to hand to your child.

Security breaches are going to happen 3 Risks to Your Personal Data When Staying at a Hotel Staying in a hotel can prove dangerous for your data security. If you don't want your next trip to turn into an identity theft nightmare, here are some things to keep in mind. Read More . We live in a massively digitized world, sharing sensitive information Five Ways To Ensure Your Personal Data Remains Secure Your data is you. Whether it is a collection of photographs you took, images you developed, reports you wrote, stories you thought up or music you collected or composed, it tells a story. Protect it. Read More across a huge number of sites. However, we don’t have to throw ourselves into the firing line Is Online Banking Safe? Mostly, But Here Are 5 Risks You Should Know About There's a lot to like about online banking. It's convenient, can simplify your life, you might even get better savings rates. But is online banking as safe and secure as it should be? Read More , and equally, we do have the right to expect a modicum of respect 3 Online Fraud Prevention Tips You Need To Know In 2014 Read More to the privacy of our personal data – let alone that of our children.

Affected by the VTech breach? Or can you sympathize with a toy-maker in the networking and information security world? Let us know below!

Image Credits:Hacker Man by tanberin via Shutterstock

Related topics: Online Privacy, Toys.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *