VTech site remained vulnerable to an old SQL injection exploit.
UK police said they have arrested a 21-year-old man in connection to the November breach of electronic toymaker VTech, a hack that exposed personal data of almost 12 million people, including gigabytes worth of headshot photos and chat logs for millions of kids and parents.
The unnamed man was arrested in Bracknell, about 30 miles west of London, it was widely reported Tuesday by news outlets citing a statement released by police. He was detained on suspicion of two offenses under the Computer Misuse Act, including unauthorized access to a computer and causing a computer to enable unauthorized access to data. Police also seized electronic devices during the arrest. No more details were provided.
The breach ultimately exposed data for 11.6 million people, 6.4 million of whom were minors. Personal information for children included their names, gender and birthdates, while details for parents included mailing and e-mail addresses, security questions used for password resets, IP addresses, password data, and download histories. The trove also included headshots and logs of chats between parents and their children. The information was stored in a database for VTech’s Learning Lodge app store, which is used by the company’s electronic toys. Almost half the compromised accounts belonged to people in North America, VTech’s top market.
News of the hack was broken in late November by Vice’s Motherboard website. A follow-up articlereported that the unidentified hacker had no plans to publish or otherwise share the pilfered data. The post went on to explain the hacker’s motivation behind the breach.
As it turns out, it all started around “two months ago,” when the hacker said he randomly stumbled upon a thread in a forum of people dedicated to hacking the Innotab, a VTech tablet for kids. The forum shows that there’s an active community of hackers who like to tinker with the tablet, mostly “for the lulz,” as the hacker put it. For example, one member was able to install and play the famous 1990s video game Doom on the tablet.
In the thread, a forum member discussed a webservice that VTech uses to manage all products.
That got the hacker curious. In the following weeks, he “browsed around” until he found one of the many VTech websites, planetvtech.com. The hacker noticed that the site was using Flash, and had a login box. He then quickly found out the site was vulnerable to the ancient, yet still very effective, hacking technique known as SQL injection.
The hacker then quickly obtained the maximum level or administrative privileges on the server, known as “root” in technical jargon, and realized he could basically do whatever he wanted.
“Holy fuck, I have root, that was easy…what can I find?“ the hacker recalled thinking.
At that point he started poking around, pivoted to other VTech servers, and was able to find some data. At some point, the hacker said, he found the two databases containing the personal data of millions of parents and thousands of children.
“When I got the [database] dumps, I realized how serious it was,” he told me in an encrypted chat.
Coverage of the breach has since increased the scrutiny given to the collection of children’s private data, with a bipartisan pair of US lawmakers pressing VTech to explain its practices. The Motherboard coverage leaves little doubt a crime was committed, but so far the bigger offense appears to be the carelessness in the way VTech handled millions of people’s data. It will be worth watching what penalty prosecutors seek if the suspect is found guilty and his account of the hack is confirmed.