Happy holidays & warm wishes!
December 25, 2015
Bitcoin – The First Cryptocurrency
January 1, 2016
Show all

Are Your Children Safe With Their Toys?

With the recent massive hack of the Hong Kong-based toymaker VTech, it saw the personal data of not only millions of children, but their parents as well being compromised. At 6.4 million kids’ data and nearly 5 million parents’ data stolen, this case is said to be the largest known theft of personal data targeting children, and the biggest ever attack on a toy firm. In an online post by VTech, the company declared that almost half (46%) of the parents’ accounts that were hacked actually belonged to users in the U.S, while several other countries make up the balance (18% from France, 12% in the U.K., 8% in Germany, and 5% or less each for the rest of the countries).

Motherboard VTech

Source: Motherboard

The leaked data exposed gigabytes’ worth of children’s and parents’ photos, chat logs, and conversation recordings, on top of names, email addresses, passwords, birthdays and home addresses. Since the incident, it has raised questions about child safety at a time when the Internet of Things (IoT) has moved on to toys and increasingly encourages children to share personal information and play online.


Internet of ThingsIoT is the network of physical objects or ‘things’ embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data.

Catherine Holden, aged 10, with the Kidizoom VideoCam, VTech (£59.99) which has been predicted to be one of the top twelve toys this Christmas at the Toy Retailers Association's (TRA) Dream Toys 2010 media preview, St Mary's Church, Marylebone, London.. Picture date: Wednesday October 27, 2010. The 2010 annual Dream Toys list from the TRA, the industry's official prediction of Christmas best-sellers, is packed full of kiddie versions of adult must-haves. See PA story CONSUMER Toys. Photo credit should read: David Parry/PA Wire

Source: SBS News

In an interview between Motherboard and the VTech hacker, who requested to remain anonymous, said that the company was guilty of using “shitty security”. Since the very beginning, the hacker made it clear that publishing the data, or selling it on an online market, was never his intention. He revealed that what brought him to hack into VTech’s servers was to expose the company’s inadequate security practices.

“I just want issues made aware of and fixed”, the hacker disclosed to Motherboard. “Frankly, it makes me sick that I was able to get all this stuff.”

For VTech’s customers, buyers of the company’s cameras, watches and tablets are encouraged to provide names, addresses and birth dates when signing up for accounts where they can download updates, games, books and other content to personalise the VTech experience.

VTech said the hacker compromised its Learning Lodge app store, which provides content for children’s tablets, and its Kid Connect mobile app service that lets parents communicate with those tablets. According to Juniper, toys that gather data on the user, like VTech’s line of cameras, watches and tablets and their associated websites, will probably see further growth by 58% annually.


The investigation continues

The South-East Regional Organised Crime cyber unit (SEROCU) said in a statement that it has since arrested a 21-year old man in Bracknell, located about 30 miles west of London, which is home to numerous tech firms. The man was detained on suspicion of unauthorized access to a computer to facilitate the commission of an offense. British police said several electronic items were seized and would be examined by SEROCU’s cybercrime unit.

A spokesman for the SEROCU’s said it had worked closely with partner agencies on the operation which focused on the hacking of applications belonging to VTech, and stated;

“A 21-year-old man was arrested today in Bracknell on suspicion of unauthorised access to computer to facilitate the commission of an offence, contrary to Section 2 of the Computer Misuse Act 1990 and suspicion of causing a computer to perform function to secure/enable unauthorised access to a program/data, contrary to section 1 of the Computer Misuse Act 1990”.

In Hong Kong, the office of the privacy commissioner for personal data, an independent body that oversees data privacy, said it is investigating how VTech safeguards personal data. In Britain, where 1.3 million accounts were compromised, the Information Commission’s Office, an independent data-protection body, said it is also investigating into the data breach.

“We are still at the early stages of the investigation and there is still much work to be done,” Craig Jones, head of the regional cybercrime unit said in a statement.


 Why would your kids be targeted?

vtech fuzzykins

Source: Toons Online

For VTech’s case, they were ‘lucky’ in the sense that the hacker claims he does not intend to publish or sell the data stolen, but rather merely wanted to make the company aware of the extent of their dismal security. However, not all hackers may be as forgiving.

Digital products aimed at kids usually have far weaker security than other computer products. Hackers are very aware of the lack of security on toys and other Wifi-connected devices with the booming demand on more IoT devices and will continue to exploit these vulnerabilities. Shipments of toys that connect to the Internet will rise 285% over the next five years, according to estimates by UK-based Juniper Research.]

Additionally, it is not only the children’s data which is accessed in these hacks, but also their parents who often have linked accounts to their kids for guardian approval. The data taken from VTech could also be used to craft an attack on other web accounts used by the parents. Learning about a person’s lifestyle and family is already half the step to committing fraud using the victim’s details, or to answer password security questions like “what is your pet’s name”. Kids have no credit history and their parents generally are not checking their credit reports, making them easy targets. In the future, these harboured stolen data could be used to target kids when they came to creating their own online profiles and bank accounts, and no one would even know anything was wrong until that child applied for credit later in life.


Keep your children safe

Don’t be stupid! As much as possible do not disclose your children’s information on the internet! Your kids do not know any better about the big bad cybercrime world, so it is still parents who are responsible for their kids’ safety, and it is still up to parents to be aware of the risks of letting their kids on the Internet, and especially of putting personally identifiable information for the world to grab.


Source: The Internet Patrol

If you or your child has ever registered anything through any of the VTech sites, including:















…then you should contact VTech at whichever below email address is applicable to you:


US: vtechkids@vtechkids.com

Canada: toys@vtechcanada.com

France: explora_park@vtech.com

Germany: downloadmanager@vtech.de

Netherlands: exp@vtech.com

Spain: informacion@vtech.com

UK: consumer_services@vtech.com

Australia and New Zealand: enquiriestoys_aunz@vtech.com

Hong Kong: corporate_mail@vtech.com

Other countries and regions: corporate_mail@vtech.com

(Addresses updated by The Internet Patrol)


To read a really in-depth analysis of the VTech data breach, click here for a dissection of the hack by Troy Hunt.



[1] Wall Street Journal

[2] NBC News

[3] Motherboard

[4] Motherboard

[5] Telegraph




Leave a Reply

Your email address will not be published. Required fields are marked *