VTech Hack Exposes Data On 4.8 Million Adults, 200,000 Kids (vice.com)

← Back to Stories (view on slashdot.org)

VTech Hack Exposes Data On 4.8 Million Adults, 200,000 Kids (vice.com)

Posted by Soulskill on Friday November 27, 2015 @07:30AM from the another-day-another-breach dept.

New submitter lorenzofb writes: A hacker broke into the site of the popular toy company VTech and was able to easily get 4.8 million credentials, and 227k kids' identities using SQL injection. The company didn't find out about the breach until Motherboard told them. According to Have I Been Pwned, this is the fourth largest consumer data breach ever. "[Security specialist Troy Hunt] said that VTech doesn't use SSL web encryption anywhere, and transmits data such as passwords completely unprotected. ... Hunt also found that the company's websites "leak extensive data" from their databases and APIs—so much that an attacker could get a lot of data about the parents or kids just by taking advantage of these flaws."

15 of 65 comments (clear)

Min score:

Reason:

Sort:

Honestly ... by gstoddart · 2015-11-27 07:41 · Score: 4, Insightful

VTech doesn't use SSL web encryption anywhere, and transmits data such as passwords completely unprotected. ... Hunt also found that the company's websites "leak extensive data" from their databases and APIsâ"so much that an attacker could get a lot of data about the parents or kids just by taking advantage of these flaws
Just stop using this crap ... over and over and over and over we see these same damned stories.
Stop handing all this information over to companies who are too indifferent and incompetent to give a shit about how badly they misuse your data.

--
Lost at C:>. Found at C.
1. Re:Honestly ... by matthewv789 · 2015-11-27 07:51 · Score: 4, Insightful
  
  The problem is 99% of the population has no idea, and will never have any idea. And neither do the websites' owners. Asking a handful of nerds not to use their site is not going to do any good, and sending them an email telling them their site sucks isn't going to help much either.
  These sites will still be just as insecure in 15 years if there isn't a legal requirement to use encryption, hash passwords, and pass at least basic automated scans for SQL injection, XSS, and other common attacks. Seriously, outside of the dot.com/web services space, financial services and e-commerce where they have to pass PCI, this level of insecurity is extremely widespread, at all sizes of companies, and it's not changing any time soon.
2. Re:Honestly ... by RobinH · 2015-11-27 08:13 · Score: 3, Informative
  
  It's a lost cause. Our school sends home permission slips to allow the teachers to post pictures and videos of our kids on the school website at least once a year, sometimes more. I always say 'no' and my wife respects this, but she gets annoyed with me. She thinks I'm paranoid, and I told her I'm not paranoid, I'm just trying to make a point to the school, and in a way that's fairly painless for us.
  Then one day she signed a permission for a video to be posted without consulting me. I was a bit upset, and she started saying that "it was password protected with a different password for each class." I got her to login to see our classes videos and pictures, and I could see at the top that once you were past the login page, it didn't seem like there was any session or anything. I showed her how I could take the URL for that picture and post it into another browser and it let me in without asking for a password. She still didn't quite get it or believe me. The URL was in the form of a GET request, with a picture ID number in the URL. I just started modifying the URL and typing in other numbers. Not every one was a hit, but I started bringing up pictures of kids in other classes. I said, "how can I see these if you've only entered the password for our daughter's class?" That finally seemed to prove my point, that the school (and whoever their web portal supplier was) just wasn't competent at making this secure, if I could get past their security in a few minutes. Unfortunately I can't really report that to the school or anything because I would just end up with police at my door.
  
  --
  "I have never let my schooling interfere with my education." - Mark Twain
3. Re:Honestly ... by jheath314 · 2015-11-27 08:36 · Score: 2
  
  Even better, companies should stop the rampant collection of non-essential information.
  Large databases of sensitive information are just massive breaches waiting to happen. If it's not a SQL injection attack, it will be some other exploit (heartbleed, shellshock, logjam, etc.) Even if you could magically defeat every exploit, the data can get exposed by any malicious or incompetent administrator. If nothing else, authorities with sufficient interest in the data could simply compel the database owners to turn it over.
  When it comes to protecting amassed information, the only winning move is not to play.
  
  --
  Procrastination Man strikes again!
4. Re:Honestly ... by RobinH · 2015-11-27 09:12 · Score: 2
  
  I know you're trolling, but my wife is arguably smarter than I am (and has the Ph.D. to prove it). The fact is, outside of technology circles, nobody knows or cares about this stuff (which was my point).
  
  --
  "I have never let my schooling interfere with my education." - Mark Twain
5. Re:Honestly ... by godel_56 · 2015-11-27 10:42 · Score: 2
  
  That finally seemed to prove my point, that the school (and whoever their web portal supplier was) just wasn't competent at making this secure, if I could get past their security in a few minutes. Unfortunately I can't really report that to the school or anything because I would just end up with police at my door.
  Report it anonymously to your local newspaper
6. Re:Honestly ... by rubycodez · 2015-11-27 12:30 · Score: 2
  
  what's funnier is slashdotters who work in IT, who have posted in other articles about security that the main thing is employees ability to get their job done with no inconvenience, and security that causes inconvenience or makes it harder to do job is bad. They make fun of "security nuts" like the OpenBSD and related projects teams, and those that seek to tighten up Linux distros' security, for example.
  No you fucking twats, you're part of the problem. Security is painful, good security is more painful. Security is the number one issue IT faces.
If you write SQL injections by phantomfive · 2015-11-27 07:45 · Score: 4, Informative

If you know a programmer who writes code vulnerable to SQL injections, tell them to buy this book. If you are a programmer that writes SQL injections, you need it (or a swift kick in the head).

Seriously, this is an old, solved problem. We know how to write code with zero SQL injections. It's been solved, and there is no excuse for having any of them in your code.

--
"First they came for the slanderers and i said nothing."
1. Re:If you write SQL injections by matthewv789 · 2015-11-27 07:57 · Score: 2
  
  You're preaching to the choir. I wouldn't be surprised if the majority of web developers in existence do not read slashdot, barely know how to program, and have never even HEARD of SQL injection (or other common attacks), and if they have... they stopped working on that site 10 years ago and it's been running on autopilot ever since, with only minimal maintenance as needed since then (often by someone not very competent or up to date). This problem isn't going to be solved until it's illegal to run insecure sites like this. (Of course that won't solve the overall problem of hacking, even sites that are very careful and have taken all precautions have been hacked; I just mean the problem of completely retarded sites like this.)
2. Re: If you write SQL injections by liqu1d · 2015-11-27 08:03 · Score: 3, Insightful
  
  You're probably right as the majority of "web developers" these days have it all prebuilt into Wordpress for them.
3. Re:If you write SQL injections by rubycodez · 2015-11-27 12:33 · Score: 2
  
  False, Your code can be perfect and still be subject to SQL injection depending on where and how it is run because of vulnerabilities outside the code, in web framework or web serving software
4. Re:If you write SQL injections by phantomfive · 2015-11-27 12:58 · Score: 2
  
  Generally I would suggest avoiding web frameworks etc with those problems, though.......
  
  --
  "First they came for the slanderers and i said nothing."
5. Re:If you write SQL injections by ShanghaiBill · 2015-11-27 21:22 · Score: 2
  
  As the CIO, I would ...
  As the CEO, I would fire the CIO.
Re:IANAL, but I know one & by gnupun · 2015-11-27 08:17 · Score: 2

Why the heck is this data sitting on a machine connected to the internet? Collect the data, then periodically (every month or so) append it to an internal (non-internet) machine. Then delete the sensitive data (name, address) from the internet connected server. Any hack will only get a month's worth of data.
Re:Come on by gstoddart · 2015-11-27 08:17 · Score: 2, Insightful

This is just embarrassing. There's absolutely zero excuse for SQLi these days.
Define 'excuse'.
Lazy. Incompetent. Indifferent. Greedy.
The usual set of 'excuses' apply here. And as long as companies have no liability for crap like this, it will keep happening.

--
Lost at C:>. Found at C.