6.4 million children's photos and chat logs leaked. Names. Birthdays. Pictures of kids sent to parents through VTech's app — all exposed because VTech used no encryption, stored passwords with broken hashing, and left SQL injection holes open. The FTC fined them $650,000 — about ten cents per child. The photos of those children are still on the internet. After leaking 6.4 million children's data, VTech's response was to update the terms of service to say data theft was the parents' problem. "You acknowledge information may not be secure." A toy company told parents: we might leak your children's photos, and by turning on the toy, you agree that's acceptable. Accountability, outsourced to the victim.
What they claim: VTech updated its terms of service after the breach to limit liability
What we found: After the breach, VTech quietly updated its terms of service to state: "You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties." A children's toy company told parents that their children's data might be stolen, and by using the product, they accepted that risk.
What they claim: VTech promotes safe, educational electronic toys for children
What we found: In November 2015, VTech's Learning Lodge database was breached, exposing personal data of 6.4 million children and 4.9 million parents across 15 countries. The data included children's names, dates of birth, genders, photos, and chat logs between children and parents. The FTC fined VTech $650,000 for violating COPPA. The attacker found VTech used no encryption, stored passwords in MD5, and had SQL injection vulnerabilities.