Having said that, what was lost – especially as it seems to include everyone’s password reset/recovery data in plain text – is a serious matter, because it is data that crooks can use in other attacks. (Hint to VTech: these would be surprisingly useful details to clarify as soon as possible.) What we’re hoping is that VTech really meant to say that it stores your passwords hashed, not encrypted.Īnd we’re hoping it meant that those secret question and answers are for password reset, which is quite a different beast from retrieval. VTech certainly makes it sound as though the company stored your password in a way that it could recover it, rather than using industry-standard practice (known as salt-hash-stretch) that merely allows password to be verified.Īfter all, the official statement talks about a “secret question and answer for password retrieval”, as though the company will send you a copy of your password (presumably via email) if you can answer that secret question. To add to the trouble, everyone with the same password had the same encrypted data string to represent it, so that if anyone else had the same password as you, and was silly enough to put his password in the hint…then he revealed your password at the same time.
Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.įrom the above, VTech certainly makes it sound as though the company has “ done an Adobe“, storing passwords encrypted (so that if someone figures out the decryption key, they can recover all the passwords at once), and keeping password recovery information entirely unencrypted.Īdobe famously lost more than 100 million records in which password hints were not encrypted, meaning that many people’s passwords were easy to figure out.
VTech Holdings Limited today announced that an unauthorized party accessed VTech customer data housed on our Learning Lodge app store database on NovemHKT VTech’s own statement on the breach isn’t terribly reassuring: VTech makes educational electronic toys, and runs an online store called Learning Lodge, where you can shop for downloads for your VTech products.Īctually, right now you can’t shop for anything, because the site is temporarily shuttered following a data breach. That’s what may have happened – or may not, it’s still not clear – at electronic toy vendor VTech. What’s worse that a data breach of your personal data?Ī data breach of your personal data and the personal data of your children.