VTech Hack Exposes Data On 4.8 Million Adults, 200,000 Kids

New submitter lorenzofb writes: A hacker broke into the site of the popular toy company VTech and was able to easily get 4.8 million credentials, and 227k kids' identities using SQL injection. The company didn't find out about the breach until Motherboard told them. According to Have I Been Pwned, this is the fourth largest consumer data breach ever. "[Security specialist Troy Hunt] said that VTech doesn't use SSL web encryption anywhere, and transmits data such as passwords completely unprotected. ... Hunt also found that the company's websites "leak extensive data" from their databases and APIs—so much that an attacker could get a lot of data about the parents or kids just by taking advantage of these flaws."

If you write SQL injections

[phantomfive]

If you know a programmer who writes code vulnerable to SQL injections, tell them to buy this book. If you are a programmer that writes SQL injections, you need it (or a swift kick in the head).

Seriously, this is an old, solved problem. We know how to write code with zero SQL injections. It's been solved, and there is no excuse for having any of them in your code.

Re:Honestly ...

[RobinH]

It's a lost cause. Our school sends home permission slips to allow the teachers to post pictures and videos of our kids on the school website at least once a year, sometimes more. I always say 'no' and my wife respects this, but she gets annoyed with me. She thinks I'm paranoid, and I told her I'm not paranoid, I'm just trying to make a point to the school, and in a way that's fairly painless for us.

Then one day she signed a permission for a video to be posted without consulting me. I was a bit upset, and she started saying that "it was password protected with a different password for each class." I got her to login to see our classes videos and pictures, and I could see at the top that once you were past the login page, it didn't seem like there was any session or anything. I showed her how I could take the URL for that picture and post it into another browser and it let me in without asking for a password. She still didn't quite get it or believe me. The URL was in the form of a GET request, with a picture ID number in the URL. I just started modifying the URL and typing in other numbers. Not every one was a hit, but I started bringing up pictures of kids in other classes. I said, "how can I see these if you've only entered the password for our daughter's class?" That finally seemed to prove my point, that the school (and whoever their web portal supplier was) just wasn't competent at making this secure, if I could get past their security in a few minutes. Unfortunately I can't really report that to the school or anything because I would just end up with police at my door.