Toymaker VTech has admitted that millions of kiddies' online profiles were left exposed to hackers – much higher than the 220,000 first feared.
On Tuesday, the Hong Kong biz confessed in an updated FAQ page that it did not properly secure personal information on 4.8 million parents and 6.37 million children – including 1.2 million users of its KidConnect messaging service.
That admission comes four days after it emerged that a hacker had raided the entertainment company's customer database.
After families buy VTech's computer-like toys, which are aimed at preschool tykes, they are encouraged to sign up for online accounts to download apps, music, books and more to the gizmos.
That requires handing over sensitive information, such as parents' names, email addresses and home addresses, and the birthdays, names, and genders of youngsters. All this data – plus MD5-hashed passwords, secret answers to personal questions for password resets, IP addresses, and download histories – was snatched by an intruder who bypassed VTech's poor online security.
"Regretfully our database was not as secure as it should have been," VTech's FAQ admitted.
"Upon discovering the breach, we immediately conducted a comprehensive check of the affected site and have taken thorough actions against future attacks."
Here's how many accounts were pwned in each nation affected:
|Republic of Ireland||40,244||55,102|
The data was swiped from VTech's online store called the Learning Lodge and the KidConnect system that lets children chat to their parents electronically; the toymaker has killed both of those, and a number of other services, while it cleans up the mess.
After the weekend, it further emerged that the hacker was able to grab a year's worth of unencrypted chat logs from KidConnect, files of audio recorded from VTech gadgets, and pictures sent via the messaging system.
The toymaker said it encrypted copies of the sound files and photos. However, infosec bods analyzing VTech's apps found the encryption can be easily broken due to poor programming and weak keys.
"As the investigation is ongoing, we cannot confirm at this stage [that the hacker has taken photos and chats of children and their parents]. However, we can confirm these images are encrypted by AES128," the FAQ states.
"Audio files are encrypted by AES128, whereas chat logs are not encrypted. Kid Connect is similar to a WhatsApp service. Our security protocols require that only undelivered messages are stored temporarily in our server. These messages are set to expire in 30 days."
No credit card information or state ID numbers (such as driver's license or social security numbers) were accessed, though, we're told. ®