Toy maker VTech pwned by way of SQL injection, data of ~5M parents and >200K children exposed - Polidicks

[url]http://www.neowin.net/news/toy-maker-breach-exposes-data-on-hundreds-of-thousands-of-kids[/url] [quote=Neowin]Earlier this month, an unknown hacker exfiltrated customer databases from Chinese toy maker, VTech. Amongst the data stolen were the records of 5 million parents and over 200,000 children. Along with account data, such as user names and passwords, the toy maker also stored personal data including names, email addresses, physical addresses, and ip addresses of customers. Particularly troubling is that the identities of children can be matched with their respective parents using the data. The individual who stole the data claims to have only shared it with the online publication, Motherboard, although they claim it would have been trivial for others to have also dumped the data due to the weak security in use by the website. The hacker was able to get a hold of the data by using a trivial SQL injection attack.[/quote]

why does a toy maker need all that info?

[QUOTE=Giraffen93;49202760]why does a toy maker need all that info?[/QUOTE] Data mining for the Chinese government. They where going to use this information to invade our sacred lands, and sell us some lead paint mercury toy balls. :tinfoil:

[QUOTE=Giraffen93;49202760]why does a toy maker need all that info?[/QUOTE] You can buy things off them, so they'd need to keep things like names and addresses stored Not sure how the kids' accounts worked, probably just had basic name, username and password stored for some online thing, but it could be linked to the parents' shipping address by matching IP addresses

Doesn't Vtech also sell general household electronics as well, such as house phones?

[QUOTE](Passwords) They were MD5 hashed[/QUOTE] Storing passwords like that should warrent a fine

We live in 2015 yet companies can't put in some effort and money to secure their data properly. Amazing.

it's not even that hard to prevent sql injection holy shit [editline]28th November 2015[/editline] this whole fiasco is caused by pure incompetence

[QUOTE=Limed00d;49203065]We live in 2015 yet companies can't put in some effort and money to secure their data properly. Amazing.[/QUOTE] But here's the thing: it doesn't even require any effort. It actually takes more effort to find a solution as outdated as MD5 hashing.

[QUOTE=Recurracy;49203076] this whole fiasco is caused by pure incompetence[/QUOTE] My money is not on incompetence, but rather on the fact that many companies cheap out on things like security simply for money reasons. Devel: "Our System is still using MD5 for storing passwords, which has been proven easily crackable. We have to Establish a scheduled upgrade and change our software to use more secure algorithms for new Passwords." Management: "This costs too much time and effort. We need to Rush out other more important changes, such as <Insert Gimmick feature here>. As long as it works, it works, it doesen't need to be changed."

[QUOTE=kaukassus;49203583]My money is not on incompetence, but rather on the fact that many companies cheap out on things like security simply for money reasons. Devel: "Our System is still using MD5 for storing passwords, which has been proven easily crackable. We have to Establish a scheduled upgrade and change our software to use more secure algorithms for new Passwords." Management: "This costs too much time and effort. We need to Rush out other more important changes, such as <Insert Gimmick feature here>. As long as it works, it works, it doesen't need to be changed."[/QUOTE] "Run it 'til it breaks" is a more common work-place practice than it should be, sadly.

[QUOTE=Giraffen93;49202760]why does a toy maker need all that info?[/QUOTE] Most company's sell this information to advertising company's.

[QUOTE=Limed00d;49203065]We live in 2015 yet companies can't put in some effort and money to secure their data properly. Amazing.[/QUOTE] and the scary thing is just how much data some of them have. we dont even know what some of these companies have on us, or how well its protected (if at all)

[QUOTE=Giraffen93;49202760]why does a toy maker need all that info?[/QUOTE] practically every company keeps ahold of as much info on their customers as possible

[QUOTE=Limed00d;49203065]We live in 2015 yet companies can't put in some effort and money to secure their data properly. Amazing.[/QUOTE] "We live in 2015" doesn't mean anything the only years not funding data security make sense is the pre-internet years, and even then data leaks existed, so even then data security should be a must. companies should do it regardless of the year but of course they wont. Why would they, GEE, WONDER WHY. (they're lazy)

vtech is a terrible company, very scummy and very money grubbing. Not very surprised. They've also broken the law by not releasing GPL code on request. Shameful.

[QUOTE=gokiyono;49203060]Storing passwords like that should warrent a fine[/QUOTE] Don't worry everyone we encrypted your passwords by switching every letter with the one to the left of it on the keyboard