BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

VTech: 21-year-old man arrested after toy maker hack

From: Inga Goddijn <inga () riskbasedsecurity com>
Date: Tue, 15 Dec 2015 16:41:56 -0600
https://nakedsecurity.sophos.com/2015/12/15/vtech-21-year-old-man-arrested-after-toy-maker-hack%E2%80%8F/

A 21-year-old man has been arrested in the UK in connection with the recent
VTech hack.

He hasn’t yet been named.

VTech, headquartered in Hong Kong, makes a range of educational electronic
toys, and runs an online store called Learning Lodge, where you can shop
for downloads for your VTech products.

The company was breached recently
<https://nakedsecurity.sophos.com/2015/11/30/childrens-toy-maker-vtech-hacked-online-store-breached/>
by a hacker who claimed to have stolen the usual sort of data we hear about
in this sort of attack – and much more besides.

As well as names, email addresses, scrambled passwords and the home
addresses of nearly 5,000,000 parents, the hacker said he’d filched the
names, genders and birthdays of 200,000 children, too.

Worse still, he told on-line magazine Motherboard that he’d also
acquired thousands
of pictures
<https://nakedsecurity.sophos.com/2015/12/01/photos-of-kids-and-parents-chatlogs-audio-files-stolen-in-vtech-breach/>
of parents and kids, a year’s worth of chat logs, as well as audio
recordings, some of which were of children’s voices.

According to Motherboard
<http://motherboard.vice.com/read/hacker-obtained-childrens-headshots-and-chatlogs-from-toymaker-vtech>
:

While probing VTech servers, the hacker found tens of thousands of pictures
of parents and kids. Some are blank, or duplicates, so it’s hard to
establish exactly how many are legitimate pictures. But the hacker said he
was able to download more than 190GB worth of photos, and considering that
there were 2.3 million users registered in the Kid Connect service, it’s
likely there were tens of thousands, or more, headshots of parents and
kids, according to the hacker.

The hacker shared a sample of 3,832 image files with Motherboard for
verification purposes, but he also said he doesn’t intend to publish or
sell the data.

”Frankly, it makes me sick that I was able to get all this stuff,” the
hacker told [us] in an encrypted chat. “VTech should have the book thrown
at them.”

For now, however, it looks as though the 21-year-old, from Bracknell, UK
(about 50km west of London), is going to have the book thrown at him.

The UK’s South East Regional Organised Crime Unit (SEROCU) reports
<http://www.serocu.org.uk/32/section.aspx/30/man_arrested_for_hacking_offences_>
that his arrest was on charges under the Computer Misuse Act for
unauthorised access to VTech’s systems, and unauthorised access to the
company’s data.

As Craig Jones, Head of the Cyber Crime Unit at SEROCU, points out:

Cyber crime is an issue which has no boundaries and affects people on a
local, regional and global level. I would like to urge everyone to check
their home and business computer security and follow the advice available
on sites such as cyberstreetwise.com <https://www.cyberstreetwise.com/> and
getsafeonline.org.

Also, don’t forget our popular, family-friendly, series of tips for Advent
2015 <https://nakedsecurity.sophos.com/?s=advent>, which we’ll be running
until Christmas.

If you’ve got webcams
<https://nakedsecurity.sophos.com/2015/12/05/advent-tip-5-change-default-passwords-on-baby-monitors-and-webcams/>,
internet-enabled toys, online thermostats
<https://nakedsecurity.sophos.com/2014/01/15/google-pays-3-2-billion-for-nest-a-smart-home-gadget-maker/>,
or even a connected kettle
<https://nakedsecurity.sophos.com/2015/10/20/internet-of-things-do-you-really-need-a-kettle-that-can-boil-your-security-dry/>
in your home…

…don’t forget that security matters for all those devices too
<https://nakedsecurity.sophos.com/2015/10/26/sophos-blog-presents-what-is-the-internet-of-things/>,
not just for your laptop and your mobile phone
<https://nakedsecurity.sophos.com/2015/06/02/why-you-shouldnt-worry-about-privacy-and-security-on-your-phone/>
.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: