Earlier this month, an unknown hacker exfiltrated customer databases from Chinese toy maker, VTech. Amongst the data stolen were the records of 5 million parents and over 200,000 children.
Along with account data, such as user names and passwords, the toy maker also stored personal data including names, email addresses, physical addresses, and ip addresses of customers. Particularly troubling is that the identities of children can be matched with their respective parents using the data.
The individual who stole the data claims to have only shared it with the online publication, Motherboard, although they claim it would have been trivial for others to have also dumped the data due to the weak security in use by the website. The hacker was able to get a hold of the data by using a trivial SQL injection attack.
According to analysis by Troy Hunt, there were 4,833,678 unique email addresses in the dump. As for the passwords, they were stored in a format only slightly more preferable than plain text. They were MD5 hashed, without any attempts to salt or use a stronger hash.
VTech released a statement on Friday regarding the breach. However, this was only after being contacted by Motherboard, as they were unaware of the breach prior to this.
If you want to check whether your details were a part of this breach, you can do so via Have I Been Pwned. While you’re there, sign up for the automatic breach notification service that will alert you if your email address is compromised in future breaches.