Slashdot Mirror

← Back to Stories (view on slashdot.org)

VTech Hack Gets Worse: Chat Logs, Kids' Photos Taken In Breach (vice.com)

Posted by samzenpus on from the from-bad-to-worse dept.

An anonymous reader writes: The VTech hack just got a little worse. Reports say that in addition to the 4.8 million records with parents' names, home addresses, passwords and the identities of 227k kids, the hackers also have hundreds of gigabytes worth of pictures and chat logs belonging to children. ZDNet reports: "Tens of thousands of pictures — many blank or duplicates — were thought to have been taken from from Kid Connect, an app that allows parents to use a smartphone app to talk to their children through a VTech tablet. Motherboard was able to verify a portion of the images, and the chat logs, which date as far back as late-2014. Details about the intrusion are not fully known yet. The hacker, who for now remains nameless, told Motherboard that the Hong Kong-based company 'left other sensitive data exposed on its servers.'"

36 of 69 comments (clear)

  1. Mail or call the us office by Joe_Dragon · · Score: 2

    1156 W Shure Dr #200, Arlington Heights, IL 60004

    (847) 400-3600

    1. Re:Mail or call the us office by mwvdlee · · Score: 2

      To do WHAT exactly?

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  2. Numbers don't add up. by jtownatpunk.net · · Score: 2

    I keep seeing reports of this saying "4,800,000 parents" and "227,000 children". Can someone please explain this?

    1. Re:Numbers don't add up. by DarkSkiez · · Score: 2

      Simple answer: Not every registered parent (for maybe warranty or something) had registered children in the system.

    2. Re:Numbers don't add up. by Anonymous Coward · · Score: 1

      Most parents aren't going to put their kids information into these things, especially if there is no reason to.

    3. Re:Numbers don't add up. by _merlin · · Score: 1

      A parent needs to register in order to purchase and/or download apps. I expect a lot of parents register just to browse the catalogue and look at prices. Some applications require you to register a child's information to enable certain functionality, but many parents wouldn't download any of these apps, and if they do, they may not enter information for any children.

      Essentially, for every family with at least one of these devices where they want to browse/download/purchase apps, at least one parent will be registered, but zero or more children may be registered. You'd only get more parents than children registered in rare cases when a family that has more than one child using these devices, the parent installs an app that can use children's data, and they register multiple children. That isn't going to outweigh the cases where no children are registered.

  3. Even worse than that by WillAffleckUW · · Score: 2

    Expect fake lost kids emails and other much worse things.

    There is evil. And then there's Evil.

    This is the latter.

    --
    -- Tigger warning: This post may contain tiggers! --
  4. Re:Chat logs belonging to children . . . by Anonymous Coward · · Score: 2, Insightful

    People that exist, but neither you nor I would have any desire to meet.

  5. Stop The Presses by crow_t_robot · · Score: 1, Insightful

    I'm guessing that reactionary mommy bloggers everywhere are losing their minds about this non-story while every useful person on this planet continues with their lives.

    1. Re:Stop The Presses by Coren22 · · Score: 1

      Or Crow clicked on the link to make that comment as this didn't belong on the Slashdot front page as it is a non-story. Another company hacked due to lax security, news...when we feel like it.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  6. Why were they storing these? by MobyDisk · · Score: 4, Insightful

    The important question is why the data was stored on VTech's servers in the first place.

    THIS ^^^^^^^^ THIS

    This corporate culture of "store everything" needs to go away. At least in the past, we had storage limitations that made this infeasible. But dammit, as a software engineer, if the system requirements tell me to store something that would be bad if it was released, then I'm not storing it unless there is a damned good reason AND it is well encrypted.

    My kids have some vtech stuff. I downloaded their app that lets the toy know the child's name, birthday, and favorite food. But that's it. It never occurred to me that they would have any reason to store that information. Let alone storing photos and chat logs from devices that have that capability.

    WTF!!!!! I am anxious to hear about this. This is why I used to use a personal firewall years ago. Everything phones home. But now they are impractical.

    1. Re:Why were they storing these? by Scutter · · Score: 1

      We can start with mail servers and this ridiculous desire to keep every e-mail from the last twenty years "just in case".

      --

      "Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
    2. Re:Why were they storing these? by tlhIngan · · Score: 4, Interesting

      This corporate culture of "store everything" needs to go away. At least in the past, we had storage limitations that made this infeasible. But dammit, as a software engineer, if the system requirements tell me to store something that would be bad if it was released, then I'm not storing it unless there is a damned good reason AND it is well encrypted.

      Not to mention with child privacy laws, this sort of thing has to be well kept.

      For an example - take a look at Nintendo - we lambast them for "friend codes" and awkward DRM. But you realize that the intersection of various child privacy laws worldwide mean Nintendo basically cannot ask for any information - no name, no email address or anything.

      And by doing this, they just have to associate a hardware serial number (anonymous!) with purchases (also anonymous!). If you transfer to another console, it's moving the purchases to a new serial number.

      But this means you also cannot create an account and re-download stuff (because Nintendo doesn't know who you are), and if your console breaks, you have to bring it back to Nintendo (so they can move the stuff to a new serial number).

      Sure today you can create a "Nintendo Network" account that tries to associate your purchases with an ID, but that's optional and you still suffer the same limitations.

      it's the only way Nintendo could guarantee even if they were hacked, that there was no private data to take, and legally they couldn't collect any information.

    3. Re:Why were they storing these? by TWX · · Score: 1

      I don't understand how virtual layer 2 networks with tagging would help in situations like this.

      --
      Do not look into laser with remaining eye.
    4. Re:Why were they storing these? by Bengie · · Score: 1

      Only if you're sending tagged frames out the interface. Don't let tagged frames out the interface.

    5. Re:Why were they storing these? by Ol+Olsoc · · Score: 1

      The important question is why the data was stored on VTech's servers in the first place.

      THIS ^^^^^^^^ THIS

      This corporate culture of "store everything" needs to go away.

      But. But! BUT! Think of the children!!!

      oh......wait....

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    6. Re:Why were they storing these? by AmiMoJo · · Score: 1

      I downloaded their app that lets the toy know the child's name, birthday, and favorite food. But that's it. It never occurred to me that they would have any reason to store that information.

      What did you think they would do with it?

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:Why were they storing these? by Coren22 · · Score: 1

      Then they screw it up, and when you switch from a Wii to a Wii U, the accounts are incompatible, and have to be completely redone.

      I now have 4 Nintendo accounts and no way for them to cooperate.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    8. Re:Why were they storing these? by Coren22 · · Score: 1

      They were apparently thinking a little too much about the children.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  7. Re:Chat logs belonging to children . . . by Anonymous Coward · · Score: 2, Insightful

    "We have your son, Timmy. Here's a picture for proof. He says he really misses his dog Spot. If you want to see him alive again, wire $5000 to ..."

  8. breach fatigue by k6mfw · · Score: 2

    Every day I read about zillion emails and other personal information is hacked. Like MobyDisk asks why are they storing this stuff? I think companies should be liable for loss of personal information so then they will first think is it necessary to gather information. Then if they do they better have some damn good methods of keeping it safe. Yes, I have personal firewall on all the time. I also have computers that are never put online. Then these places ask for name, birthdate and address. I may give them name and address, birthdates are different than my actual.

    So now here's another hack and loss of data, ho hum, just another disaster in IT land, yawn. This can be serious. There might be a breach that will really screw things up and nobody will flinch.

    --
    mfwright@batnet.com
    1. Re:breach fatigue by Zero__Kelvin · · Score: 1

      Is there any reason why the parents shouldn't be liable for loss of personal information given that they gave it away?

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    2. Re:breach fatigue by Zero__Kelvin · · Score: 1

      It's not an item, so your analogy is completely broken. Thanks for playing though!

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    3. Re:breach fatigue by KGIII · · Score: 1

      It's not a loss of personal information, it's just a copy of the information and information wants to be free. Once you have a thought and share it, it is no longer your's. It belongs to everybody. You don't own information.

      (Yes, yes I am kidding - but, well, it's an interesting line of thought to see if anyone will actually defend this as such.)

      Conclusion: This material should be covered under copyright laws and should not be able to be willed away by the parent of a child by something so trivial as a EULA.

      --
      "So long and thanks for all the fish."
    4. Re:breach fatigue by mwvdlee · · Score: 1

      It's already covered under copyright laws (as far as that can possibly apply to most of this information).
      Copyright applies to anything and everything unless explicitely made available by the owner.

      The problem is allowing bait-&-switch tactics like EULA's in the first place.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    5. Re:breach fatigue by KGIII · · Score: 1

      Yup. I was thinking of how to approach this as a legal argument. That's where I'd start. The EULA shouldn't actually allow a parent to sign away the copyrights on the works of their children - regardless of what they signed. It should not be legally binding. Copyright can come in handy. I'd go after it in this direction but then the parents assume partial liability (potentially). My hope is that everyone learns a lesson but, ya know, I'm sometimes a deluded idealist.

      --
      "So long and thanks for all the fish."
  9. As a parent... by nomel · · Score: 1

    I don't get the issue...

    I don't remember the registration asking for an address, just an email. If they did ask, it was "1234 fake st".

    Omg they have my email address and name noooooo. And who cares about a pic of my kid, who looks like a million and one other kids out there.

    If you want to see the interesting depths of a chat log of a kid, just fire up your favorite markov chain.

    Wtf is everyone so worked up about?

    1. Re:As a parent... by ColdWetDog · · Score: 1

      Think of the children!

      --
      Faster! Faster! Faster would be better!
    2. Re:As a parent... by R3d+M3rcury · · Score: 1

      Because it's children! Dear God, won't somebody think of the children!

    3. Re:As a parent... by KGIII · · Score: 1

      Presumably someone is and, I suppose, therein lies the root of the complaints.

      --
      "So long and thanks for all the fish."
    4. Re:As a parent... by Coren22 · · Score: 1

      The problem is, some people think far too much about the children.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    5. Re:As a parent... by Voyager529 · · Score: 1

      You're making the mistake of thinking like a slashdotter,where you're absolutely right in your assessment. Allow me to paint a better picture of the average person whose data is actually involved.

      1.) Registration with fake information? That's "sensible skepticism", a holdover from the earlier days of the internet. In the 90's, 1234 fake street, 123 maple street, and 12345 main street were quite crowded buildings. Since vanity and exhibitionism has become the norm on the internet, it's quite common to actually write out "Kyle Castillo, 672 Spruce Place, Schenectady, NY 18421". No one questions a request for an address anymore.
      2.) E-mail addresses have become a bit more of an identity than they used to be. Google 'voyager529', and you'll see a whole lot of information about me...and 'voyager' isn't even really my name. Moreover, since "voyager529@aol.com" was deemed an 'unprofessional' e-mail address to have, 'Kyle.Castillo@gmail.com' became much more common. Thus, having an e-mail address that's actually tied to you is more identifiable now than it was in the past.
      3.) You and I know that 'a picture of your kid' isn't all that much, but to those who are of the persuasion that the "zoom and enhance" magic on CSI is actually realistic, it's a hop, skip, and a jump to "they can remove clothes, and change positions, and...". Anyone who has actually used Photoshop knows that this is bollocks, but again, we're dealing with parents who buy toys for their children that include video chat and don't read the privacy policy where those things are stored.
      4.) A child's chat log may not be noteworthy in itself, but remember that it's pretty simple to trick a child into something. If a particular child is targeted, and a person has enough information deemed important by the child to convince that child to follow them, it's possible to make a rather ugly mess because the child isn't likely to figure out that everything that is known by the stranger are things from the chat logs.

      Why am *I* worked up? Because this seems like, possibly, the one hack where people might actually wake up and pay a bit of attention. For once, "Think of the children" works in our favor. For once, the levels of fear that *should* have been present elsewhere are worth considering. Under false pretenses and as a result of a generation who gets their computer jargon from primetime TV? Yeah, I'll admit that...but it's not like the majority of people beyond Slashdot have cared otherwise.

  10. Data Retention is a Liability by bill_mcgonigle · · Score: 1

    Listen to Bruce Schneier make this important point:

    http://feeds.cato.org/~r/CatoD...

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  11. Hows that Honda S2000? by Anonymous Coward · · Score: 3, Funny

    VTEC just kicked in yo!

    1. Re:Hows that Honda S2000? by Coren22 · · Score: 1

      I always thought that was kind of funny, don't you want your engine to kick in the performance when you press the pedal (like Toyota) rather than when the engine finally reaches 3000 rpm (like Honda)?

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  12. Re:Coren22's impersonation "APKolypse" by Coren22 · · Score: 1

    By posting off topic, APK is actually saying that he thinks about children all the time and he thinks he should be locked up to prevent him hurting a child.

    --
    APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?