An unidentified man has been arrested in England in connection with the hack of VTech, a Hong Kong toy maker:
Police in England said they arrested a 21-year-old man on Tuesday in connection with last month's breach of VTech, a Hong Kong electronic toy maker, which exposed personal data for 12 million people, including 6.4 million minors. Hackers also made off with profile photos and chat logs of millions of parents and their children.
British police said they arrested the man, who has not been identified, in Bracknell, a town 32 miles outside of London, for breaking England's Computer Misuse Act, including "unauthorized access" to a computer and data, according to a statement released by Britain's South East Regional Organized Crime Unit.
Last month, VTech said its online database store was compromised by hackers. Among the stolen data were names, email addresses, passwords, profile information, mailing addresses and download histories belonging to parents, as well as names, genders and birth dates of children. The breach was notable for the fact that children's personal information was compromised. Security experts say children are a frequent target for identity thieves because their clean credit histories can be used to apply for government benefits, open bank and credit card accounts and apply for loans.
But the hacker believed to be behind the breach told Vice's Motherboard blog that he did not intend to sell or use the data, but instead to draw publicity to VTech's weak security practices. The hacker told Motherboard that he was able to breach two databases, containing personal data for millions of parents and children, using a simple hacking technique called a SQL injection, in which hackers enter commands that prompt a database to dump its contents.
Previously: Hack of Toy Maker VTech Exposes Families
Related Stories
VTech, a Chinese company that makes popular electronic toys for kids, had its app store hacked.
An "unauthorized party" accessed customer information in a database for VTech's Learning Lodge app store on November 14, the company said in a statement Friday. The app store lets parents download apps, games, e-books and educational content to VTech toys.
The database contains customer data including name, email address, password, IP address, mailing address and download history. It does not contain credit card information, the company said.
VTech has not said how many customers were affected, but Motherboard, which first reported the hack, said information on nearly 5 million parents and more than 200,000 kids was exposed. The hacked data included kids' first name, gender and birthday, according to Motherboard.
[...] Motherboard was notified of the breach by an unidentified hacker who claimed responsibility. The hacker said he intends to do "nothing" with the data, according to Motherboard. Hackers sometimes break into systems simply to demonstrate that the networks are vulnerable and need to be made more secure.
If the number of exposed accounts reported by Motherboard is accurate, the VTech hack would be among the largest breaches in recent years. In August, hackers published data from more than 30 million accounts that had been set up on adultery website Ashley Madison. The personal information of an estimated 110 million Target customers was stolen in 2013 by malware installed on the retailer's point-of-sale terminals.
Sanrio, which owns the $5 billion a year Hello Kitty merchandise empire, has fallen victim to a hack of SanrioTown.com, an online community for fans of Hello Kitty and other Sanrio characters. Data from users of SanrioTown and other portals including "first and last names, [birthday], gender, country of origin, email addresses, unsalted SHA-1 password hashes, [and] password hint questions" were leaked to the Web and discovered by security researcher Chris Vickery.
The breach is reminiscent of the recent VTech data breach that exposed up to 6.4 million children. A UK man was arrested over the breach last week. Children are reportedly better targets for identity theft due to their blank credit histories, although it is currently unclear how many users of Sanrio sites were children.
(Score: 0) by Anonymous Coward on Wednesday December 16 2015, @11:37AM
But he's no more guilty of anything than the company are, and the supplier of the web engine.
Broken software should be known to be broken. The companies behind it should be named and shamed.
Companies who do not take due diligence to ensure their customers' data is secure should be outed.
(Score: 4, Insightful) by PizzaRollPlinkett on Wednesday December 16 2015, @12:23PM
So our "cyber" defenders finally caught a hacker! This is the lowest of the low hanging fruit, but they finally caught one. Have they ever caught anything but low-hanging fruit? This guy will have the book thrown at him because he's the only hacker they've caught in years, and we've spent billions on "cyber" this and "cyber" that and have to have something to show for it. Meanwhile, the corporation and its lowest-bidder software contractors (wouldn't you love to know who they outsourced their web development to?) aren't held accountable at all. If a hacker who can get caught by the "cyber" defenders can breach their defenses, then the corporation ought to have some culpability here, too. They'd just point fingers at their consultants, who would point fingers at some offshore company, who would point fingers at someone else. Plausible deniability is built into this stuff.
(E-mail me if you want a pizza roll!)
(Score: 3, Funny) by Gravis on Wednesday December 16 2015, @02:39PM
Plausible deniability is built into this stuff.
i think you mean "Plausible cyber deniability". ;)
(Score: 3, Insightful) by LoRdTAW on Wednesday December 16 2015, @12:43PM
If a Hong Kong hacker broke into a UK Toy company, everyone would just write it off and go about their day.
(Score: 0) by Anonymous Coward on Wednesday December 16 2015, @01:20PM
this guy is in deep shit.
there were photos of the kids from their toys and he had tens of thousands of photos.
guaranteed to be some nudes. so now he's hacking for cp.
sounds like the kind of shit a court would want to make an example out of.
nice life buddy. too bad it ended at 21.
(Score: 3, Insightful) by isostatic on Wednesday December 16 2015, @02:06PM
What kid of toys are this? My kids have some vtech toys (toot toot drivers, baby walker, etc). I'm not aware of them having cameras or connecting to the internet.
What kind of toy needs internet access? How does it connect without the parent knowing?
(Score: 2) by rob_on_earth on Wednesday December 16 2015, @04:00PM
hints are that its the vtech tablets. We have the 1st gen one, sans camera and its the only reason I signed up to learning-lodge. They offered a set of credits for free apps in the box.
As I remember the offerings available we not very interesting.
(Score: 0) by Anonymous Coward on Wednesday December 16 2015, @10:57PM
Yeah, kids tablets have the problem of not being mainstream so they end up being no better than the cheap non-name chinese models.
For most people its just better to get an old ipad, put a big thick shock-absorber case on it and curate the apps yourself.
(Score: 2) by Tramii on Wednesday December 16 2015, @05:10PM
guaranteed to be some nudes. so now he's hacking for cp.
So... VTech was (is?) storing child porn on their servers?
(Score: 2) by Hyperturtle on Wednesday December 16 2015, @11:01PM
What nefarious thing did he do, besides exposing the problem? It doesn't seem like he profited from it other than benefiting the world from his actions exposing how bad "cloud" security can be. Just because he thought of the children doesn't mean you can go around screaming think of the children! lock him up because there might be nudes? of kids? MIGHT?
Shame on vtech for what they did. Shame on them for not being able to provide free 24x7 credit monitoring to your nude child example. Shame on them for being so stupid, and shame on them for not writing that guy a reward check and offering him a job for resisting the urge to sell all that stuff a 100x over because he could.
Instead, he went to the media. Which is probably far worse from their perspective than if he quietly sold the stuff on some black market.
(Score: 0) by Anonymous Coward on Thursday December 17 2015, @03:21AM