I really wanted this holiday season to be one of joy and goodwill towards all people, but it seems like the black hats will never rest. Let’s just get the ugliness out of the way: VTech – maker of tech toys for kids – has suffered a data breach that has exposed over five million customer accounts, and worse still, over six million child profiles. As per the usual, it seems that the Hong Kong company initially tried to downplay the breach by omitting any numbers or that kid’s profiles might be at risk, but eventually came clean as word began to spread. Even after announcing the number of people affected by this breach, VTech continued to spin the incident and tried to downplay the extent of data leaked, despite proof provided to the media that the data exposed included a year’s worth of chat logs and childrens’ profile pictures, which were uploaded to VTech’s Kid Connect service, a supposedly secure social media platform that parents can use to chat with their children through VTech’s tablets.
What this means for you:
It’s not clear yet when VTech (if ever) will take action and contact the affected families. Hopefully you will know whether or not you’ve purchased an internet-capable VTech toy for your child and set up the Kid Connect service. The information exposed in this hack has not been released to the internet, and the hacker behind the breach says that the info that was shared with the press to expose VTech’s poor security practices, but that’s not to say that it won’t eventually be released. As a parent, you should be mindful of any activity that involves exposing confidential information about your children on the internet (including Facebook!) and this will continue to be more important as more and more toys become increasingly sophisticated, connected and complex. According to VTech’s own admission, they were unaware of the security breach until the media contacted them for comment. As a business owner or manager, that is one nasty surprise you don’t want as a holiday gift. Make sure you have a good understanding of what confidential information you do store, and make sure it’s wrapped tight and kept safe, if it has to be kept at all.
A new website entitled “HaveIBeenPwned.com” recently launched that indexes millions of accounts that have been exposed in some of the largest data breaches in the past 3 years, including the most recent data theft from Adobe, in which over 153 millions accounts were dumped onto the internet. This website allows anyone to punch in their email address to see if their credentials were a part of the haul the data thieves looted in these attacks. Interestingly enough, I punched in my personal email address and discovered (as expected) my account was one of the 153 million exposed in the Adobe breach. Other breaches covered in this database include Yahoo, Sony, Stratfor and Gawker. If you happen to use any websites from those companies, it may be worth your while to check to see if you might have a password issue.
What this means for you:
If you happen to score one or more hits in the database on this website, and you know you’ve used the same password exposed in the above data breaches on other sites, you should stop using that password immediately and head out to change your other passwords ASAP. Even if you didn’t score a hit in the database, there are data breaches happening constantly, and computers have become strong enough to crack the encryption used to store and ostensibly protect them. Where possible (and reasonable), you should be using unique, strong passwords for all your important web services, especially the ones that have access to your sensitive data and money. Programs like Passpack (what I use) and LastPass are indispensible tools to assist in making strong password use practical. Each has a bit of a learning curve and will take some getting used to, but the time spent will be a worthwhile investment in protecting yourself online.
Image courtesy of Salvatore Vuono / FreeDigitalPhotos.net.