VTech Hack Gets Worse: Chat Logs, Kids' Photos Taken In Breach (vice.com) 69
An anonymous reader writes: The VTech hack just got a little worse. Reports say that in addition to the 4.8 million records with parents' names, home addresses, passwords and the identities of 227k kids, the hackers also have hundreds of gigabytes worth of pictures and chat logs belonging to children. ZDNet reports: "Tens of thousands of pictures — many blank or duplicates — were thought to have been taken from from Kid Connect, an app that allows parents to use a smartphone app to talk to their children through a VTech tablet. Motherboard was able to verify a portion of the images, and the chat logs, which date as far back as late-2014. Details about the intrusion are not fully known yet. The hacker, who for now remains nameless, told Motherboard that the Hong Kong-based company 'left other sensitive data exposed on its servers.'"
Mail or call the us office (Score:3)
1156 W Shure Dr #200, Arlington Heights, IL 60004
(847) 400-3600
Re: (Score:3)
To do WHAT exactly?
Numbers don't add up. (Score:3)
I keep seeing reports of this saying "4,800,000 parents" and "227,000 children". Can someone please explain this?
Re: (Score:2)
Simple answer: Not every registered parent (for maybe warranty or something) had registered children in the system.
Re: (Score:1)
Most parents aren't going to put their kids information into these things, especially if there is no reason to.
Re: (Score:2)
A parent needs to register in order to purchase and/or download apps. I expect a lot of parents register just to browse the catalogue and look at prices. Some applications require you to register a child's information to enable certain functionality, but many parents wouldn't download any of these apps, and if they do, they may not enter information for any children.
Essentially, for every family with at least one of these devices where they want to browse/download/purchase apps, at least one parent will b
Re: (Score:2, Insightful)
People that exist, but neither you nor I would have any desire to meet.
Re: (Score:2, Insightful)
"We have your son, Timmy. Here's a picture for proof. He says he really misses his dog Spot. If you want to see him alive again, wire $5000 to ..."
Even worse than that (Score:2)
Expect fake lost kids emails and other much worse things.
There is evil. And then there's Evil.
This is the latter.
Stop The Presses (Score:2, Insightful)
Re: (Score:2)
Or Crow clicked on the link to make that comment as this didn't belong on the Slashdot front page as it is a non-story. Another company hacked due to lax security, news...when we feel like it.
Why were they storing these? (Score:5, Insightful)
The important question is why the data was stored on VTech's servers in the first place.
THIS ^^^^^^^^ THIS
This corporate culture of "store everything" needs to go away. At least in the past, we had storage limitations that made this infeasible. But dammit, as a software engineer, if the system requirements tell me to store something that would be bad if it was released, then I'm not storing it unless there is a damned good reason AND it is well encrypted.
My kids have some vtech stuff. I downloaded their app that lets the toy know the child's name, birthday, and favorite food. But that's it. It never occurred to me that they would have any reason to store that information. Let alone storing photos and chat logs from devices that have that capability.
WTF!!!!! I am anxious to hear about this. This is why I used to use a personal firewall years ago. Everything phones home. But now they are impractical.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
We can start with mail servers and this ridiculous desire to keep every e-mail from the last twenty years "just in case".
Re:Why were they storing these? (Score:5, Interesting)
Not to mention with child privacy laws, this sort of thing has to be well kept.
For an example - take a look at Nintendo - we lambast them for "friend codes" and awkward DRM. But you realize that the intersection of various child privacy laws worldwide mean Nintendo basically cannot ask for any information - no name, no email address or anything.
And by doing this, they just have to associate a hardware serial number (anonymous!) with purchases (also anonymous!). If you transfer to another console, it's moving the purchases to a new serial number.
But this means you also cannot create an account and re-download stuff (because Nintendo doesn't know who you are), and if your console breaks, you have to bring it back to Nintendo (so they can move the stuff to a new serial number).
Sure today you can create a "Nintendo Network" account that tries to associate your purchases with an ID, but that's optional and you still suffer the same limitations.
it's the only way Nintendo could guarantee even if they were hacked, that there was no private data to take, and legally they couldn't collect any information.
Re: (Score:2)
Then they screw it up, and when you switch from a Wii to a Wii U, the accounts are incompatible, and have to be completely redone.
I now have 4 Nintendo accounts and no way for them to cooperate.
Data Retention is a Liability (Score:2)
Listen to Bruce Schneier make this important point:
http://feeds.cato.org/~r/CatoD... [cato.org]
Re: (Score:2)
The important question is why the data was stored on VTech's servers in the first place.
THIS ^^^^^^^^ THIS
This corporate culture of "store everything" needs to go away.
But. But! BUT! Think of the children!!!
oh......wait....
Re: (Score:2)
They were apparently thinking a little too much about the children.
Re: (Score:2)
I downloaded their app that lets the toy know the child's name, birthday, and favorite food. But that's it. It never occurred to me that they would have any reason to store that information.
What did you think they would do with it?
breach fatigue (Score:3)
Every day I read about zillion emails and other personal information is hacked. Like MobyDisk asks why are they storing this stuff? I think companies should be liable for loss of personal information so then they will first think is it necessary to gather information. Then if they do they better have some damn good methods of keeping it safe. Yes, I have personal firewall on all the time. I also have computers that are never put online. Then these places ask for name, birthdate and address. I may give them name and address, birthdates are different than my actual.
So now here's another hack and loss of data, ho hum, just another disaster in IT land, yawn. This can be serious. There might be a breach that will really screw things up and nobody will flinch.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It's not a loss of personal information, it's just a copy of the information and information wants to be free. Once you have a thought and share it, it is no longer your's. It belongs to everybody. You don't own information.
(Yes, yes I am kidding - but, well, it's an interesting line of thought to see if anyone will actually defend this as such.)
Conclusion: This material should be covered under copyright laws and should not be able to be willed away by the parent of a child by something so trivial as a EULA
Re: (Score:2)
It's already covered under copyright laws (as far as that can possibly apply to most of this information).
Copyright applies to anything and everything unless explicitely made available by the owner.
The problem is allowing bait-&-switch tactics like EULA's in the first place.
Re: (Score:2)
Yup. I was thinking of how to approach this as a legal argument. That's where I'd start. The EULA shouldn't actually allow a parent to sign away the copyrights on the works of their children - regardless of what they signed. It should not be legally binding. Copyright can come in handy. I'd go after it in this direction but then the parents assume partial liability (potentially). My hope is that everyone learns a lesson but, ya know, I'm sometimes a deluded idealist.
As a parent... (Score:2)
I don't get the issue...
I don't remember the registration asking for an address, just an email. If they did ask, it was "1234 fake st".
Omg they have my email address and name noooooo. And who cares about a pic of my kid, who looks like a million and one other kids out there.
If you want to see the interesting depths of a chat log of a kid, just fire up your favorite markov chain.
Wtf is everyone so worked up about?
Re: (Score:2)
Think of the children!
Re: (Score:2)
The problem is, some people think far too much about the children.
Re: (Score:2)
By posting off topic, APK is actually saying that he thinks about children all the time and he thinks he should be locked up to prevent him hurting a child.
Re: (Score:2)
Because it's children! Dear God, won't somebody think of the children!
Re: (Score:2)
Presumably someone is and, I suppose, therein lies the root of the complaints.
Re: (Score:2)
You're making the mistake of thinking like a slashdotter,where you're absolutely right in your assessment. Allow me to paint a better picture of the average person whose data is actually involved.
1.) Registration with fake information? That's "sensible skepticism", a holdover from the earlier days of the internet. In the 90's, 1234 fake street, 123 maple street, and 12345 main street were quite crowded buildings. Since vanity and exhibitionism has become the norm on the internet, it's quite common to actual
Hows that Honda S2000? (Score:3, Funny)
VTEC just kicked in yo!
Re: (Score:2)
I always thought that was kind of funny, don't you want your engine to kick in the performance when you press the pedal (like Toyota) rather than when the engine finally reaches 3000 rpm (like Honda)?