As millions of Americans head to online stores for Black Friday, one company is having a problem keeping its customers' information safe. An unidentified hacker was able to extract nearly 5 million credentials from the website of children's toy manufacturer Vtech, according to an exclusive report from Motherboard. The hacker, who obtained the data through a SQL injection attack, says he has no plans to release the information. Still, it's possible that less scrupulous actors also attempted to exploit the security flaw. That would put 4.8 million customers at risk, as well as information on 200,000 customer children whose data is also included in Vtech's databases.
Customers can see if their data is compromised at HaveIBeenPwned.com, and the site's proprietor, Microsoft developer Troy Hunt, has further thoughts on the breach here.
The data includes names, emails, encrypted passwords and home addresses, making it comparatively mild for affected customers. While encrypted passwords can eventually be deciphered, that process could take days or even weeks, giving customers ample time to change any matching passwords endangered by the breach. The more serious concern is privacy. Vtech also held first names, genders and birthdays on the children of many customers, linking the children to their parents and home addresses.
Vtech responded to the breach with a statement earlier today, in which it claimed to have already fixed the relevant vulnerabilities and provided email support for any affected customers. "The investigation continues as we look at additional ways to strengthen our Learning Lodge database security," the company said. "We are committed to protecting our customers' information and their privacy, to ensure against any such incidents in the future."
3:24PM ET: Updated to include a link to HaveIBeenPwned.com