Security experts confirm legitimacy of children’s data breach with VTech hack

Following the possibility of a massive data breach involving about 4.8 million children and their parents with VTech, a Hong Kong toy company, security experts have gone on to confirm the legitimacy of the data breach, its impacts on targeted children and parents, and steps taken to identify the legitimacy and remedy the breach.

It all started with Lorenzo Bicchieral, a journalist and writer for Motherboard who was contacted over concerns that a massive breach involving millions of children and their parents may have occurred with VTech, and presented with a data dump from the breach.

Bicchieral naturally and instantly contacted Troy Hunt, a good friend and security expert who diagnosed the data dump and came up with facts that verified the legitimacy of the data dump that came from the VTech hack. And then, Hunt details what he did and what transpired.

As an expert, Hunt would not just accept a data dump and accept that it came from a particular company or website; so he set out to first and foremost determine the exact source of the breach, or rather the data dump. He would not just accept that it came from VTech since some data dumps are merely fabricated.

Hunt found an API that tells there is a login box that confirms an email address at login time, so he asked for help with other professionals to verify this fact via HIBP, and he utilized the HIBP feature he had earlier added – subscribing to notifications.

With this notification feature, subscribers can be notified if their emails or accounts ever get included in a massive data breach; and luckily nearly 290,000 people had signed up for the service and even verified their emails by clicking a unique link sent to them. Now Hunt thinks he could contact these same people to verify facts if any data breaches occur in the future.





He sent mails to 18 HIBP subscribers about the possibility of their accounts having been breached with VTech, and that their personally identifiable details may be included in the massive data dump. Hunt passed along some non-sensitive data such as their date of birth, city, ISP and IP addresses, among others – asking them to verify these from details culled from the data dump. This would confirm if the data dump and breach with VTech was legitimate.

Within 24 hours, six of the email recipients responded and they all confirmed that what was passed to them was actually their own data; and they all confirmed signing up for certain services with VTech in recent months and giving up sensitive data along the way.

This confirmed the legitimacy of the data dump and possibly the VTech hack. Then Bicchieral contacted VTech, and after a while they confirmed that their data was breached, but that no payment card or banking information was obtained from its Learning Lodge site.