VTech Hack Exposes Data On 4.8 Million Adults, 200,000 Kids (vice.com)

← Back to Stories (view on slashdot.org)

VTech Hack Exposes Data On 4.8 Million Adults, 200,000 Kids (vice.com)

Posted by Soulskill on Friday November 27, 2015 @07:30AM from the another-day-another-breach dept.

New submitter lorenzofb writes: A hacker broke into the site of the popular toy company VTech and was able to easily get 4.8 million credentials, and 227k kids' identities using SQL injection. The company didn't find out about the breach until Motherboard told them. According to Have I Been Pwned, this is the fourth largest consumer data breach ever. "[Security specialist Troy Hunt] said that VTech doesn't use SSL web encryption anywhere, and transmits data such as passwords completely unprotected. ... Hunt also found that the company's websites "leak extensive data" from their databases and APIs—so much that an attacker could get a lot of data about the parents or kids just by taking advantage of these flaws."

65 comments

Min score:

Reason:

Sort:

That's the last Ponies game my daughter gets by Anonymous Coward · 2015-11-27 07:39 · Score: 1

Phew...
Honestly ... by gstoddart · 2015-11-27 07:41 · Score: 4, Insightful

VTech doesn't use SSL web encryption anywhere, and transmits data such as passwords completely unprotected. ... Hunt also found that the company's websites "leak extensive data" from their databases and APIsâ"so much that an attacker could get a lot of data about the parents or kids just by taking advantage of these flaws
Just stop using this crap ... over and over and over and over we see these same damned stories.
Stop handing all this information over to companies who are too indifferent and incompetent to give a shit about how badly they misuse your data.

--
Lost at C:>. Found at C.
1. Re:Honestly ... by matthewv789 · 2015-11-27 07:51 · Score: 4, Insightful
  
  The problem is 99% of the population has no idea, and will never have any idea. And neither do the websites' owners. Asking a handful of nerds not to use their site is not going to do any good, and sending them an email telling them their site sucks isn't going to help much either.
  These sites will still be just as insecure in 15 years if there isn't a legal requirement to use encryption, hash passwords, and pass at least basic automated scans for SQL injection, XSS, and other common attacks. Seriously, outside of the dot.com/web services space, financial services and e-commerce where they have to pass PCI, this level of insecurity is extremely widespread, at all sizes of companies, and it's not changing any time soon.
2. Re:Honestly ... by RobinH · 2015-11-27 08:13 · Score: 3, Informative
  
  It's a lost cause. Our school sends home permission slips to allow the teachers to post pictures and videos of our kids on the school website at least once a year, sometimes more. I always say 'no' and my wife respects this, but she gets annoyed with me. She thinks I'm paranoid, and I told her I'm not paranoid, I'm just trying to make a point to the school, and in a way that's fairly painless for us.
  Then one day she signed a permission for a video to be posted without consulting me. I was a bit upset, and she started saying that "it was password protected with a different password for each class." I got her to login to see our classes videos and pictures, and I could see at the top that once you were past the login page, it didn't seem like there was any session or anything. I showed her how I could take the URL for that picture and post it into another browser and it let me in without asking for a password. She still didn't quite get it or believe me. The URL was in the form of a GET request, with a picture ID number in the URL. I just started modifying the URL and typing in other numbers. Not every one was a hit, but I started bringing up pictures of kids in other classes. I said, "how can I see these if you've only entered the password for our daughter's class?" That finally seemed to prove my point, that the school (and whoever their web portal supplier was) just wasn't competent at making this secure, if I could get past their security in a few minutes. Unfortunately I can't really report that to the school or anything because I would just end up with police at my door.
  
  --
  "I have never let my schooling interfere with my education." - Mark Twain
3. Re:Honestly ... by jheath314 · 2015-11-27 08:36 · Score: 2
  
  Even better, companies should stop the rampant collection of non-essential information.
  Large databases of sensitive information are just massive breaches waiting to happen. If it's not a SQL injection attack, it will be some other exploit (heartbleed, shellshock, logjam, etc.) Even if you could magically defeat every exploit, the data can get exposed by any malicious or incompetent administrator. If nothing else, authorities with sufficient interest in the data could simply compel the database owners to turn it over.
  When it comes to protecting amassed information, the only winning move is not to play.
  
  --
  Procrastination Man strikes again!
4. Re:Honestly ... by RobinH · 2015-11-27 09:12 · Score: 2
  
  I know you're trolling, but my wife is arguably smarter than I am (and has the Ph.D. to prove it). The fact is, outside of technology circles, nobody knows or cares about this stuff (which was my point).
  
  --
  "I have never let my schooling interfere with my education." - Mark Twain
5. Re:Honestly ... by khasim · 2015-11-27 09:21 · Score: 1
  
  In my experience that is because they've already made up their minds.
  Ask her, should something go wrong, whether she'd blame the school's security or herself for releasing the info in the first place.
6. Re: Honestly ... by Anonymous Coward · 2015-11-27 10:11 · Score: 0
  
  Having a Ph.D doesn't necessarily mean that she is smarter than you.
  But the fact that accept that would almost certainly mean that you are not that bright yourself, so you are probably correct.
7. Re:Honestly ... by godel_56 · 2015-11-27 10:42 · Score: 2
  
  That finally seemed to prove my point, that the school (and whoever their web portal supplier was) just wasn't competent at making this secure, if I could get past their security in a few minutes. Unfortunately I can't really report that to the school or anything because I would just end up with police at my door.
  Report it anonymously to your local newspaper
8. Re: Honestly ... by Anonymous Coward · 2015-11-27 10:49 · Score: 0
  
  For example Kent Hovind has a PhD.
9. Re:Honestly ... by rubycodez · 2015-11-27 12:30 · Score: 2
  
  what's funnier is slashdotters who work in IT, who have posted in other articles about security that the main thing is employees ability to get their job done with no inconvenience, and security that causes inconvenience or makes it harder to do job is bad. They make fun of "security nuts" like the OpenBSD and related projects teams, and those that seek to tighten up Linux distros' security, for example.
  No you fucking twats, you're part of the problem. Security is painful, good security is more painful. Security is the number one issue IT faces.
10. Re: Honestly ... by Anonymous Coward · 2015-11-27 15:05 · Score: 0
  
  Uh I work in IT for post secondary education and I can confirm PhD or Masters does not equal aptitude toward security or computers, in fact I regularly have to punch users passwords after they fail to repeatedly punch in the same password.
11. Re: Honestly ... by Anonymous Coward · 2015-11-27 15:40 · Score: 0
  
  I am a Ph.D holder and there is lots of stuff, outside of my domain, that I do not know. Some of it I will never understand. To those who do, I am stupid.
12. Re:Honestly ... by indytx · 2015-11-28 01:50 · Score: 1
  
  The problem is that this "crap" is given to your kid as a gift and requires a software installation to run, and unless you want to tell your kid "no" and explain that their gift will never work you set up the account.
  
  --
  Make love, not reality television.
If you write SQL injections by phantomfive · 2015-11-27 07:45 · Score: 4, Informative

If you know a programmer who writes code vulnerable to SQL injections, tell them to buy this book. If you are a programmer that writes SQL injections, you need it (or a swift kick in the head).

Seriously, this is an old, solved problem. We know how to write code with zero SQL injections. It's been solved, and there is no excuse for having any of them in your code.

--
"First they came for the slanderers and i said nothing."
1. Re:If you write SQL injections by matthewv789 · 2015-11-27 07:57 · Score: 2
  
  You're preaching to the choir. I wouldn't be surprised if the majority of web developers in existence do not read slashdot, barely know how to program, and have never even HEARD of SQL injection (or other common attacks), and if they have... they stopped working on that site 10 years ago and it's been running on autopilot ever since, with only minimal maintenance as needed since then (often by someone not very competent or up to date). This problem isn't going to be solved until it's illegal to run insecure sites like this. (Of course that won't solve the overall problem of hacking, even sites that are very careful and have taken all precautions have been hacked; I just mean the problem of completely retarded sites like this.)
2. Re: If you write SQL injections by liqu1d · 2015-11-27 08:03 · Score: 3, Insightful
  
  You're probably right as the majority of "web developers" these days have it all prebuilt into Wordpress for them.
3. Re: If you write SQL injections by Anonymous Coward · 2015-11-27 08:17 · Score: 0
  
  the majority of "web developers" these days have it all prebuilt into Wordpress for them.
  Wordpress gives web development a bad name. Seriously, you might as well hang a banner on your page that says "I'm Wordpress, Please Hack Me".
4. Re:If you write SQL injections by phantomfive · 2015-11-27 08:21 · Score: 1
  
  You're preaching to the choir. I wouldn't be surprised if the majority of web developers in existence do not read slashdot
  That's why I said "give it to someone who writes sql vulnerabilities. " :) I figured most people here would know how to avoid them (I really, really hope so).
  
  Considering there are PHP tutorials high in Google's search results show aren't teaching parameterized queries, it's going to be a long time before we get rid of the problem completely.
  
  --
  "First they came for the slanderers and i said nothing."
5. Re:If you write SQL injections by Anonymous Coward · 2015-11-27 08:26 · Score: 0
  
  Management hears: "blah, blah,blah, blah,blah, blah,blah, blah."
6. Re:If you write SQL injections by Anonymous Coward · 2015-11-27 08:32 · Score: 0
  
  Well, each new crop of kids that become programmers need to learn this again. It is new to them, after all.
  And, of course, schools don't teach it, let alone make a test on it mandatory for graduation.
  And, the kids who don't know this stuff think they are a lot better at programming in general than they actually are. They have yet to be humbled by real world experience, so they blithely sell out their awesome lowest bid to companies run by non-technicians.
  Wash, rinse, repeat ad nauseam.
7. Re:If you write SQL injections by Anonymous Coward · 2015-11-27 09:13 · Score: 0
  
  As the CIO, I would ask the source code to be extracted from SVN/GIT, and then everyone who touched the last version of ANY file that has dynamic (SQL injection vulnerable) SQL in it be immediately fired.
  There is simply no excuse for this, and if I was running the show, I'd show no remorse or pity for those responsible.
  At the same time, I'd also fire the entire QA department responsible for allowing this to get into prod.
8. Re:If you write SQL injections by phantomfive · 2015-11-27 09:17 · Score: 1
  
  At the same time, I'd also fire the entire QA department responsible for allowing this to get into prod.
  I'm willing to bet they don't have a QA department.
  
  --
  "First they came for the slanderers and i said nothing."
9. Re:If you write SQL injections by Anonymous Coward · 2015-11-27 12:28 · Score: 0
  
  Well why would QA be in charge of validating security? I work of a 'cloud security' startup and while we have many fortune 500 customers their data get copied over to the QA environments where everyone has full access and on peoples unencrypted laptops on regular basis. Production password are not encrypted and shared over email, third party chat rooms, etc... Once in a while you get a email thread forwarded to you and way down in the discussion a customer email and password is shared. Customers are promised the moon on our security, we have external security audits but they only look at documents we handpick and show to them: we do not document what we don't want them to see. This culture is encouraged at the CEO level.
10. Re:If you write SQL injections by rubycodez · 2015-11-27 12:33 · Score: 2
  
  False, Your code can be perfect and still be subject to SQL injection depending on where and how it is run because of vulnerabilities outside the code, in web framework or web serving software
11. Re:If you write SQL injections by phantomfive · 2015-11-27 12:40 · Score: 1
  
  In that case, you didn't write the sql injection, someone else did.
  
  --
  "First they came for the slanderers and i said nothing."
12. Re:If you write SQL injections by phantomfive · 2015-11-27 12:42 · Score: 1
  
  Well why would QA be in charge of validating security?
  Because security is an aspect of security. They don't have to find every security vuln, but it's not outrageous to ask them to find super-obvious simple things.
  
  --
  "First they came for the slanderers and i said nothing."
13. Re:If you write SQL injections by rubycodez · 2015-11-27 12:47 · Score: 1
  
  Correct, but you still have an SQLi problem and can't walk around whistling Dixie thinking everything is fine
14. Re:If you write SQL injections by phantomfive · 2015-11-27 12:58 · Score: 2
  
  Generally I would suggest avoiding web frameworks etc with those problems, though.......
  
  --
  "First they came for the slanderers and i said nothing."
15. Re:If you write SQL injections by turbidostato · 2015-11-27 15:52 · Score: 1
  
  "As the CIO, I would ask the source code to be extracted from SVN/GIT, and then everyone who touched the last version of ANY file that has dynamic (SQL injection vulnerable) SQL in it be immediately fired."
  That's once thing (among alot others) explaining why you'll never be a CIO so, don't worry, you won't have the chance to fire anybody.
16. Re:If you write SQL injections by Anonymous Coward · 2015-11-27 17:07 · Score: 0
  
  Well, that's if security is part of the specs, when upper management of a security company makes is very clear to everyone: "we don't care about security, that new feature need to go out tomorrow to sign the next deal, no matter what". That is even if customer contracts demand to be informed about security vulnerabilities and the VP says "do not tell customers". Again why would you blame QA when the ones upper management are the ones pushing for the lack of security. Very few companies are actually taking security seriously. Most of them consider breaches to be part of the cost of doing business.
  So what would QA do? Notifying, in writing, about the issue will at best be a career limiting move within the company. Quit in protest, well they have a H1-B or green card process in place... stuck and can't move. If that QA person quits, should they make the issue public? Well that would very much jeopardize all these vested pre-IPO options. Would you risk 1 months, 1 year, 10 year, potential salary because it is the right thing to do?
17. Re:If you write SQL injections by phantomfive · 2015-11-27 17:14 · Score: 1
  
  QA can say, "I don't approve this release. If you release it, you can, but I don't approve it." That's about all.
  
  --
  "First they came for the slanderers and i said nothing."
18. Re:If you write SQL injections by ShanghaiBill · 2015-11-27 21:22 · Score: 2
  
  As the CIO, I would ...
  As the CEO, I would fire the CIO.
19. Re:If you write SQL injections by Anonymous Coward · 2015-11-28 01:53 · Score: 0
  
  The thing is, the majority of these issues stem from people that specifically DON'T work as a web developer.
  These cases usually come from other people in a company told to come up with a website and are reasonably smart in a related area, like programming, so they do a quick once over of JS, SQL, PHP and the sort, put together some crap website and call it a day.
  Don't forget large amounts of copy-pasted code straight outta stackoverflow-ton.
  Most of them don't even use things like jQuery and that either, if they did use large amounts of libraries, most of these issues would never come up.
  But they don't. They go it alone, without a single clue that SQL and PHP are some of the easiest languages to write horribly broken and insecure code for.
  Why they are still around I have no idea, but more to the point, most importantly, why that broken and easily abused syntax still EXISTS is beyond me!
  It would be trivial to fix and would only break peoples sites if they upgraded, which is STILL A GOOD THING because it will force them to write proper code!
20. Re:If you write SQL injections by phantomfive · 2015-11-28 04:22 · Score: 1
  
  The thing is, the majority of these issues stem from people that specifically DON'T work as a web developer. These cases usually come from other people in a company told to come up with a website and are reasonably smart in a related area, like programming, so they do a quick once over of JS, SQL, PHP and the sort, put together some crap website and call it a day. Don't forget large amounts of copy-pasted code straight outta stackoverflow-ton.
  This isn't an excuse
  
  --
  "First they came for the slanderers and i said nothing."
Come on by liqu1d · 2015-11-27 07:48 · Score: 1

This is just embarrassing. There's absolutely zero excuse for SQLi these days.
1. Re:Come on by gstoddart · 2015-11-27 08:17 · Score: 2, Insightful
  
  This is just embarrassing. There's absolutely zero excuse for SQLi these days.
  Define 'excuse'.
  Lazy. Incompetent. Indifferent. Greedy.
  The usual set of 'excuses' apply here. And as long as companies have no liability for crap like this, it will keep happening.
  
  --
  Lost at C:>. Found at C.
pinball.sys by Anonymous Coward · 2015-11-27 08:00 · Score: 0

is the problem.
IANAL, but I know one & by Anonymous Coward · 2015-11-27 08:04 · Score: 1

This is sort of asking for a class action suit.
1. Re:IANAL, but I know one & by gnupun · 2015-11-27 08:17 · Score: 2
  
  Why the heck is this data sitting on a machine connected to the internet? Collect the data, then periodically (every month or so) append it to an internal (non-internet) machine. Then delete the sensitive data (name, address) from the internet connected server. Any hack will only get a month's worth of data.
2. Re:IANAL, but I know one & by phantomfive · 2015-11-27 08:26 · Score: 1
  
  Transmitting passwords unencrypted (probably storing them unencrypted) is a pretty clear sign of negligence at this point. I would say that SQL injections are too, but that's (a little) more of a stretch. Considering it's been best practices to encrypt passwords for over two decades if not longer, then I wouldn't be surprised if a class action lawsuit won.
  
  --
  "First they came for the slanderers and i said nothing."
3. Re:IANAL, but I know one & by gstoddart · 2015-11-27 08:30 · Score: 1
  
  You seem to imply there is legal "duty of care" (or whatever you'd call it).
  They don't care. They never promised to care. The license probably says they don't care. The people who run the company don't care.
  Taking steps to care presupposes they care. If they don't care what happens to your "sensitive data", they're sure as hell not going to take steps to protect it. Because that would involve caring.
  What part of greedy corporation shielded by license agreements and only interested in their own profits do people not understand here?
  Oh, and did I mention that the license probably includes terms which says you can't sue them and need to agree to binding arbitration in a forum of their own choosing?
  And that forum of their choosing will simply say we don't fucking care and never promised to.
  
  --
  Lost at C:>. Found at C.
4. Re:IANAL, but I know one & by Anonymous Coward · 2015-11-27 09:15 · Score: 0
  
  Good luck suing a Chinese company.
5. Re:IANAL, but I know one & by ArsenneLupin · 2015-11-27 10:19 · Score: 1
  
  A good point for data protection laws as in the EU. Here companies can be held criminally responsible if they breach their duty of care.
6. Re:IANAL, but I know one & by matthewv789 · 2015-11-27 10:41 · Score: 1
  
  I agree, but what negligence? What law or standard says that a business has to use encryption and protect passwords? Yes, there are rules surrounding finance, e-commerce (if paying by credit card at least) and healthcare, and maybe government contractors, but that's about it. There is no standard or rule or law that says they can't publish your usernames and passwords on their homepage for convenience if they feel like it...
7. Re:IANAL, but I know one & by matthewv789 · 2015-11-27 10:47 · Score: 1
  
  What I'm saying is that most of what programmers say about this is essentially "pride of craft" - we code things securely because we take pride in making a secure product. But not everyone takes pride in their work, and when combined with not everyone caring about customers or their privacy, you have the situation we're in.
  Lots and lots of businesses just do the minimum they need to to sell crap to customers and make a buck. Even if they take pride in their products, their website is beyond their understanding, outside of their expertise, and in some cases at least partly out of their control. Most of them will at least try to comply with the letter of the law too, but there aren't any laws requiring "secure website coding".
8. Re:IANAL, but I know one & by phantomfive · 2015-11-27 10:52 · Score: 1
  
  Here is the legal definition of negligence:
  
  Negligence is a failure to use reasonable care that results in harm to another party. Under negligence law, there are two different forms of negligence. In one form, a person does something that a reasonable person would not do. In the other form a person fails to take action that a reasonable person would take to prevent harm. Both forms of negligence can result in a negligence lawsuit filed against the party responsible for the damage.
  
  So you would have to show that a reasonable person would not publish usernames and passwords on their homepage (and you would also have to demonstrate harm from their actions).
  
  --
  "First they came for the slanderers and i said nothing."
Typical Corporate Bullshit by Anonymous Coward · 2015-11-27 08:22 · Score: 1

This is the kind of crap that you get when the website is outsourced to H1-Bs and contractors with zero liability who don't give a damn. Leaking personal information should be a civil offense in the United States, punishable with fines for each piece of personally identifiable information leaked. It should be like HIPAA, maybe then these companies would take security seriously.
1. Re:Typical Corporate Bullshit by Anonymous Coward · 2015-11-27 11:36 · Score: 0
  
  Nice H-1B rant against a Chinese company.
Other reasons not to buy VTech toys: by Anonymous Coward · 2015-11-27 08:27 · Score: 1

They don't provide adequate feedback for interaction. For example, you'll push a button, but then the toy will keep hounding you with sounds for five minutes -- well after you've put it down and gone on to do something else. So it'll distract your child from what they were interested in. If you have 5 VTech toys in your house then your child won't know wtf to do, with each toy beckoning them. I don't see why they don't only react only when you push a button.

Besides that, when you initially turn on the toys, they hound you as well. But if you leave the toy on completely so that say, when you put your kid in the play room and turn on all his toys so he can choose what he wants to play with, he won't be hounded for 5 minutes by everything until it dies down.... well that doesn't work for you because every hour these toys seem to randomly go off, so in the middle of the night you'll hear annoying toy sounds for no reason.

If you have to get electronic toys that do this type of thing, Leap Frog is a much better option imho. They tend to provide feedback for certain interactions, not just randomly, and they don't keep beckoning you and distracting you from what you had your attention on. I think if a kid has these toys he'll develop some focusing problems.
1. Re:Other reasons not to buy VTech toys: by Anonymous Coward · 2015-11-27 10:17 · Score: 0
  
  We remove the batteries from most of the toys. Honestly. I have to agree about VTech, though. I still have nightmares about the talking car that you can't switch off.
  That toy met an unfortunate end.
2. Re:Other reasons not to buy VTech toys: by Anonymous Coward · 2015-11-28 14:04 · Score: 0
  
  :) Thanks, that made my day. One less VTech toy on the planet makes the world that much better.
Who thinks of the kids these days? by sanf780 · 2015-11-27 08:40 · Score: 1

Kids are definitely insecure as of today.
We never seem to learn by Anonymous Coward · 2015-11-27 08:48 · Score: 0

Given everything that is happening and you see another example of stupidity in protecting people's information. Vtech was so dumb it did not even discover it's breach. Someone else had to inform them. I hope Vtech get's exactly what they deserve. Idiots.
Probably because both parents work by HalAtWork · 2015-11-27 09:09 · Score: 1

Probably because nobody stays at home with the kid all day, kids don't have the security of a routine and less nurturing. They only get some guardian's partial frantic attention since they have to watch 10 other kids, and then burnt out parents at home busy making dinner and getting ready for tomorrow. Then there's those daycares that just tie kids to the bed all day and who knows what the fuck else. I'd be insecure too.

--
Twinstiq, game news
1. Re:Probably because both parents work by Anonymous Coward · 2015-11-28 02:36 · Score: 0
  
  This.
Re:SQL Injection... really? by rubycodez · 2015-11-27 12:46 · Score: 1

Too bad bind variables can't be used for everything that can vary in SQL.
Highly P0wnable??? Re:pinball.sys by davidwr · 2015-11-27 13:23 · Score: 1

Highly P0wnable Fsck'd-up System????
(Bonus points to any reader that gets the double-entendre)
For those of you who need a hint:
I think my sense of privacy is saying "I've been manhandled."

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Obligatory XKCD by doctorbrassica · 2015-11-27 22:53 · Score: 1

Little Bobby DROP TABLES http://xkcd.com/327/
Re:SQL Injection... really? by LiENUS · 2015-11-28 05:40 · Score: 1

bind variables can be used for any value that can vary, thats the whole point of them.
Re:SQL Injection... really? by rubycodez · 2015-11-29 17:09 · Score: 1

that's an absolutely false statement; you are ignorant of SQL and what can be used with bind variables