Slashdot Mirror

← Back to Stories (view on slashdot.org)

VTech Hack Exposes Data On 4.8 Million Adults, 200,000 Kids (vice.com)

Posted by Soulskill on from the another-day-another-breach dept.

New submitter lorenzofb writes: A hacker broke into the site of the popular toy company VTech and was able to easily get 4.8 million credentials, and 227k kids' identities using SQL injection. The company didn't find out about the breach until Motherboard told them. According to Have I Been Pwned, this is the fourth largest consumer data breach ever. "[Security specialist Troy Hunt] said that VTech doesn't use SSL web encryption anywhere, and transmits data such as passwords completely unprotected. ... Hunt also found that the company's websites "leak extensive data" from their databases and APIs—so much that an attacker could get a lot of data about the parents or kids just by taking advantage of these flaws."

4 of 65 comments (clear)

  1. Honestly ... by gstoddart · · Score: 4, Insightful

    VTech doesn't use SSL web encryption anywhere, and transmits data such as passwords completely unprotected. ... Hunt also found that the company's websites "leak extensive data" from their databases and APIsâ"so much that an attacker could get a lot of data about the parents or kids just by taking advantage of these flaws

    Just stop using this crap ... over and over and over and over we see these same damned stories.

    Stop handing all this information over to companies who are too indifferent and incompetent to give a shit about how badly they misuse your data.

    --
    Lost at C:>. Found at C.
    1. Re:Honestly ... by matthewv789 · · Score: 4, Insightful

      The problem is 99% of the population has no idea, and will never have any idea. And neither do the websites' owners. Asking a handful of nerds not to use their site is not going to do any good, and sending them an email telling them their site sucks isn't going to help much either.

      These sites will still be just as insecure in 15 years if there isn't a legal requirement to use encryption, hash passwords, and pass at least basic automated scans for SQL injection, XSS, and other common attacks. Seriously, outside of the dot.com/web services space, financial services and e-commerce where they have to pass PCI, this level of insecurity is extremely widespread, at all sizes of companies, and it's not changing any time soon.

  2. Re: If you write SQL injections by liqu1d · · Score: 3, Insightful

    You're probably right as the majority of "web developers" these days have it all prebuilt into Wordpress for them.

  3. Re:Come on by gstoddart · · Score: 2, Insightful

    This is just embarrassing. There's absolutely zero excuse for SQLi these days.

    Define 'excuse'.

    Lazy. Incompetent. Indifferent. Greedy.

    The usual set of 'excuses' apply here. And as long as companies have no liability for crap like this, it will keep happening.

    --
    Lost at C:>. Found at C.