Toy manufacturer VTech has been forced to suspend its Learning Lodge app store after details of five million users were stolen in a hack.
The Learning Lodge store offers apps, music, books, and games for children. Its database was hacked on November 14 and after an investigation, the Hong Kong-based company has temporarily ceased trading on the stock exchange and closed its app store.
As well as shutting its app store temporarily, VTech has suspended 13 of its associated websites as a precautionary measure.
VTech said in a statement today that it believes the unauthorized party had accessed users’ profile information, including names, email addresses, home address, IP address, download history and secret questions and answers for password retrieval.
As well as that, the database also stores the name, gender and birthday of children using VTech’s toys and tablets.
The breach has affected user accounts in the US, Canada, UK, Ireland, France, Germany, Spain, Belgium, Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, New Zealand and Australia. VTech says it has contacted everyone who may have had their details stolen.
The one somewhat good thing for users involved is that VTech does not store payment information, so credit card details are safe. Although, with all of the other sensitive information now out there, it wouldn’t be difficult for a hacker to maliciously target a specific user on other platforms.
VTech was slow to respond to reports of the hack when they first appeared on Friday. However, after security analyst Troy Hunt verified a sample of the stolen data that was dumped on to the internet, the company released a further statement confirming the severity of the breach. It said:
We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future… The investigation continues as we look at additional ways to strengthen the security of all on-line services provided by VTech.
According to Hunt, the passwords on VTech’s database didn’t have sufficient protection. He said:
…they’re protected with nothing more than a straight MD5 hash, which is so close to useless for anything but very strong passwords (which people rarely create), they may as well have not even bothered. The kids’ passwords are just plain text.