What’s worse that a data breach of your personal data?
A data breach of your personal data and the personal data of your children.
That’s what may have happened – or may not, it’s still not clear – at electronic toy vendor VTech.
VTech makes educational electronic toys, and runs an online store called Learning Lodge, where you can shop for downloads for your VTech products.
Actually, right now you can’t shop for anything, because the site is temporarily shuttered following a data breach.
VTech’s own statement on the breach isn’t terribly reassuring:
VTech Holdings Limited today [2015-11-27] announced that an unauthorized party accessed VTech customer data housed on our Learning Lodge app store database on November 14, 2015 HKT
. . .
Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.
From the above, VTech certainly makes it sound as though the company has “done an Adobe“, storing passwords encrypted (so that if someone figures out the decryption key, they can recover all the passwords at once), and keeping password recovery information entirely unencrypted.
Adobe famously lost more than 100 million records in which password hints were not encrypted, meaning that many people’s passwords were easy to figure out.
To add to the trouble, everyone with the same password had the same encrypted data string to represent it, so that if anyone else had the same password as you, and was silly enough to put his password in the hint…then he revealed your password at the same time.
VTech certainly makes it sound as though the company stored your password in a way that it could recover it, rather than using industry-standard practice (known as salt-hash-stretch) that merely allows password to be verified.
After all, the official statement talks about a “secret question and answer for password retrieval”, as though the company will send you a copy of your password (presumably via email) if you can answer that secret question.
What we’re hoping is that VTech really meant to say that it stores your passwords hashed, not encrypted.
And we’re hoping it meant that those secret question and answers are for password reset, which is quite a different beast from retrieval.
(Hint to VTech: these would be surprisingly useful details to clarify as soon as possible.)
Having said that, what was lost – especially as it seems to include everyone’s password reset/recovery data in plain text – is a serious matter, because it is data that crooks can use in other attacks.
Whether a crook wants to convince other people that he knows a lot about you, even though he’s never met you, or wants to convince you that he’s contacting you legitimately by referring to things you wouldn’t expect an outsider to know…
…the more factoids he can piece together about you and your lifestyle, the greater the criminal success he is likely to have.
Worse still in the case of this breach is the suggestion on the BBC’s website that data from the theft has already surfaced online and includes children’s names, dates of birth and genders.
Let’s hope that VTech are able to provide some clarity about the situation soon – whether the news gets better or worse, it’s only the truth that can really help now.
edkay
Based on http://www.troyhunt.com/2015/11/when-children-are-breached-inside.html it appears the ‘encrypted’ password was just a plain MD5 hash – so basically plaintext.
The more worrying part is the loss of so much information that can’t be easily changed: names, addresses, DoBs, security questions + answers. The fact this includes children’s data too makes this one of the worst breaches I’ve heard of.
Paul Ducklin
On a point of order, an MD5 hash is not “basically plaintext,” no matter how unsuitable it might be as a hash. You still have to test each possible password (or look it up in a precomputed list), unlike Adobe’s case, where Adobe could (and had to, in order to verify passwords at login) “reverse” each password out of its own database with a single password. Errr, unless there was no salt, when it’s still not “basically plaintext” but it’s the next worst thing :-(
I was just surprised to see the term “password retrieval” chosen when it clearly doesn’t apply if any sort of one-way function was used. (For all MD5’s weaknesses, it’s still a one-way function in this case, with or without a salt), especially when the word “retrieval” is matched with “encryption” (which implies decryption, and thus supports the notion of retrieval).
So…Vtech itself should clarify: were the passwords hashed or encrypted? And whichever was the case, how?
Also, was data about the customer’s children breached? The company mentions “download history,” but no mention of other data that isn’t specific to the paying customer (presaumbly, then, the parent, not the child).
edkay
The MD5 point was that there didn’t appear to be any salting involved, accorded to the report I linked to above: “It’s just a straight MD5 hash, not even an attempt at salting or using a decent hashing algorithm.” So you can simply Google the hash and bingo, there’s the password in plain text.
Vtech only mentions download history, but Troy Hunt’s report (which I find quite convincing) claims that child data was breached. See “You can see how the parent_id of the child – 2700413 – relates back to the ID of the parent.” and then below that details of the “member CSV files” containing names and DoBs of children.
stefanvxr8
Guys, is it just me or is anyone else not able to share these stories on iThings with Twitter? When I click on share it just takes me to the Twitter main screen. LinkedIn works fine.
Stef