Not caring and playing down the tragedy comes back to bite you in the ass
That’s the case that happened with V Tech (NOT vault tech…bummer!!), whose reluctance to tell the truth regarding the hack attack on its servers was turned into a cautionary tale by it putting a whole lot of personal data in jeopardy.
The award winning maker of electronic learning toys whose basis is in Hong Kong admitted the breach in its database due to the hack attack on Nov 14. That database being belong to Learning Lodge.
Learning Lodge is a site letting costumers download learning games, applications and other educational content of V Products. Now this LODGE is more of a cautionary tale.
MotherBoard was the place where the first news regarding this atrocious attack surfaced, reporting the information leak of 5 million adults and 200,000. Most victims of this pathetic crusade are parents of different countries. Photos and chat logs were stolen too from Vtech’s Kid connect service. The service allowed parents to chat with their kids using the V tech tablet.
Earlier, V Tech downplayed this incident saying that there was only an unauthorized access to the servers. REALLY?? What did they think happens after unauthorized access to the server, do pigs start to fly? Or the hacker is just gonna be there to help himself with some freebies? Well, now they(V Tech) have admitted that on 14 Nov, they was a serious breach on their site via a Canadian journalist’s email.
Well, what’s more that even on MotherBoard this news surfaced after the hacker responsible shared the data stolen. He ‘claims’ to have shared the news with only the former. Parents would have been completely in the dark if no confessions was to be made. DAMN YOU V TECH!!
Why and how it was hacked? Well..weak protection of course.
SQL injection was used to gain the root access of the servers. The content that was breached out of the parent site was a lot and at the same time…nothing very major. It stolen data has E-mails, Ip addresses, password retrieval answers, costumer download history and names, gender and age of the children who used the VTech apps. Now that I type it out , most of these are very important data. According to V Tech, costumer’s social security numbers , credit card data and driver license numbers were not taken. THAT’s like damage control at its worst. WELL THANK YOU V TECH!!! V Tech’s claims feels like a college student after being tea-bagged saying, “Well at-least no hair came in my mouth”. The worst part about it is that there are TONS of prevention against SQL injection. Some of them are following :-
- Using parameterised queries may appear to be hindering the interaction of a site but using a lot of these is a work around. And its helpful with the prevention too.
- Using stored procedures help a lot, that can be an option too. Teaching children follows a particular path so its an option too
- Minimizing user input==>This is NOT and option for you V Tech. I get it
The MDS algorithm protecting the Learning Lodge passwords is a weak ass algorithm. Many in the world agree the same. Including Security expert Troy hunt , the owner of MotherBoard.
Now the most important of it all, the risk to children
What V Tech did was blatantly irresponsible .The information leak can effect children in numerous unexplainable ways. Namely data duplication, data theft(which is basically duplication) and going more sinister is attracting pedophiles. Now what V Tech can do, according to Beth Marcus(Playrific CEO) is diffrentiate all the information regarding the children in a completely diffrerent and a lot more secures server. A place where it is not altered, in permanent and is behind a powerful cyber lock and key. The individuals working for Children Online Privacy protection or COPPA understand this and are trying there earnest to help .