What was stolen?
On November 24th, VTech Holdings detected unauthorized access to customer data housed on their Learning Lodge app store database. The breach occurred on November the 14th – 10 days before it was even detected.
The data stolen includes full names, email addresses, encrypted passwords, secret questions and answers for password retrieval, IP addresses, along with mailing addresses and download history. The date of over 200 thousand kid’s was stolen and nearly 5 million additional entries were harvested by the hackers.
How was the attack executed?
It is not yet clear how the attack was launched; however, a simple SQL injection (SQLi) would be a good bet, especially considering the attack channel – a web application – and the target – a customer database.
By running a specific command in an “un-sanitized” text field, the attacker gains elevated access to the organization’s database. The silver lining to SQLi vulnerabilities is that they are very simple to avoid – if you know what you’re looking for. A simple application code analysis will detect fields which might be exposed to SQLi vulnerabilities allowing the developers to properly fix the code.
Vtech “bad” #1: An SQLi is one of the more basic attacks on database servers.
With that comes good news and bad news.
The good news is that the passwords stored on the database were encrypted.
The bad news…
Vtech “bad: #2: The passwords were encrypted using one-way MD5 hashing. This is one of the most basic encryption still in use today and is no longer up to current security standards, due to how easy it can be to crack. Using publicly available “rainbow tables,” anyone can reverse the encryption of many – if not all – the passwords.
What’s the incentive?
Looking at this attack, it’s not immediately obvious what the hackers can gain from this data. There doesn’t seem to be any financial gain involved, it was not some kind of cyber political warfare and there most likely isn’t an ethical agenda attached to this specific hack.
Personal users data is probably being harvested on a daily basis by hacking groups or as I prefer to call them “hacking mafias”. This data can later be re-purposed for smart social engineering attacks which can be used for financial gain. Social engineering is all about gaining the trust of your victim. If I know the names of someone’s kids, their home address and their email address – it’s going to be much easier to gain their trust.
“Yes Mr. Smith, a college savings fund for Tim and Jane is a great decision. Shall we send the receipt to your home address at Oak Street or to your email?”
On top of that, the re-use of passwords is a common mistake made by many internet users. Some might use the same password on their online banking account, their web mail account and on their application store access. With enough data harvesting, finding out where someone does their banking is not a big challenge.
- Fortunately, VTech does not store credit card information in their database. All payments are passed through a secure third-party payment gateway.
- VTech has suspended the attacked website and 13 additional websites they own for the time being.
- Other than announcing the breach and enhancing their security measures VTech has not publicly discussed any further proactive steps they will be taking.