What you need to know – Vtech hacked, but why??

Nov 30, 2015 By Amit Ashbel

What was stolen?

On November 24th, VTech Holdings detected unauthorized access to customer data housed on their Learning Lodge app store database.  The breach occurred on November the 14th – 10 days before it was even detected.

The data stolen includes full names, email addresses, encrypted passwords, secret questions and answers for password retrieval, IP addresses, along with mailing addresses and download history. The date of over 200 thousand kid’s was stolen and nearly 5 million additional entries were harvested by the hackers.

How was the attack executed?


It is not yet clear how the attack was launched; however, a simple SQL injection (SQLi) would be a good bet, especially considering the attack channel – a web application – and the target – a customer database.


By running a specific command in an “un-sanitized” text field, the attacker gains elevated access to the organization’s database. The silver lining to SQLi vulnerabilities is that they are very simple to avoid – if you know what you’re looking for. A simple application code analysis will detect fields which might be exposed to SQLi vulnerabilities allowing the developers to properly fix the code.


Vtech “bad” #1: An SQLi is one of the more basic attacks on database servers.

With that comes good news and bad news.

The good news is that the passwords stored on the database were encrypted.

The bad news…


Vtech “bad: #2: The passwords were encrypted using one-way MD5 hashing. This is one of the most basic encryption still in use today and is no longer up to current security standards, due to how easy it can be to crack. Using publicly available “rainbow tables,” anyone can reverse the encryption of many – if not all – the passwords.


What’s the incentive?


Looking at this attack, it’s not immediately obvious what the hackers can gain from this data. There doesn’t seem to be any financial gain involved, it was not some kind of cyber political warfare and there most likely isn’t an ethical agenda attached to this specific hack.


Personal users data is probably being harvested on a daily basis by hacking groups or as I prefer to call them “hacking mafias”. This data can later be re-purposed for smart social engineering attacks which can be used for financial gain. Social engineering is all about gaining the trust of your victim. If I know the names of someone’s kids, their home address and their email address – it’s going to be much easier to gain their trust.


“Yes Mr. Smith, a college savings fund for Tim and Jane is a great decision. Shall we send the receipt to your home address at Oak Street or to your email?”  

On top of that, the re-use of passwords is a common mistake made by many internet users. Some might use the same password on their online banking account, their web mail account and on their application store access. With enough data harvesting, finding out where someone does their banking is not a big challenge.


What Now?

  • Fortunately, VTech does not store credit card information in their database. All payments are passed through a secure third-party payment gateway.
  • VTech has suspended the attacked website and 13 additional websites they own for the time being.
  • Other than announcing the breach and enhancing their security measures VTech has not publicly discussed any further proactive steps they will be taking.
The following two tabs change content below.

Amit Ashbel

Cyber Security Evangelist at Checkmarx
Amit Ashbel has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and familiarity with emerging threats. Amit also speaks at high profile events and conferences such as Blackhat, Defcon, OWASP, and others.

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.