VTech Toy Hacker Gets Personal Information of Over 6million Children

vtech hack
Share the knowledge

You’ll need to pardon our rant, and if you are easily offended, you may want to skip this article. Because we want to know who the hell lets their kids register their personal information, including home address, pictures, and other personally identifying information or – even more mind-boggling – registers this information for their kids, online?

We’ve talked about the dangers of letting kids be on the Internet since almost before there was an actual Internet. It’s well known that children are the most vulnerable, and the most at risk, of any online population, once they get online. It’s why even Facebook, user-hog that they are, won’t let kids under 13 register for an account.

In fact, Facebook was sued – and settled – for letting an 11 year old open a Facebook account.

And yet millions – MILLIONS – of parents blithely hand their kids, many well under the age of 11, VTech toys that require them to register online, and to give up all of this personal information, including home addresses and dates of birth, and then they let them use this system – a system that encourages them to upload profile pictures of themselves, and have online chats!


The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

In case you haven’t guessed by now (and you should have, as the headline of this article is “VTech Toy Hacker Gets Personal Information of Over 6million Children”), a hacker hacked into electronic toymaker VTech’s system, and got the personal information of 6.4 million children, along with 4.9 million adults (their parents), along with head shots and chat messages.

vtech hack

How many ways do you think that data can be misused? Wait, stop thinking about it, because it quickly goes down a very dark path.

According to the Wall Street Journal, nearly half (46%) of those accounts belonged to children and parents in the United States, with those in several other countries making up the balance (18% are in France, 12% in the U.K., 8% in Germany, with 5% or less each for the rest of the countries).

According to a statement released by VTech about the breach, the kids’ profiles only include name, gender, and date of birth. However the kids’ profiles are connected to their parents’ profiles, and they include their home address.

Among other things, the hacker got, says VTech:

– Parent account information including name, email address, secret question and answer for password retrieval, IP address, mailing address, download history and encrypted password.

– Kid profiles include name, genders and birthdates.

– Encrypted Learning Lodge’s contents, including Kid Connect’s profile photos, undelivered Kid Connect messages, bulletin board postings and Learning Lodge content (ebooks, apps, games etc).

Now, you may be thinking “Well, it’s not so bad, at least the pictures were encrypted.

But you would be wrong. Because if they actually were encrypted, the hacker had no trouble decrypting them. In an excellent series of articles over at Motherboard, Lorenzo Franceschi-Bicchierai interviews the hacker, who shares some of the pictures with him.

Profile Pictures from the VTech Hack

vtech hacked children kids profile pictures
Source: motherboard.vice.com

In that particular article and interview with the VTech hacker, the hacker tells Franceschi-Bicchierai that “Frankly, it makes me sick that I was able to get all this stuff.” In another article he explains that he basically stumbled across this easily, and by accident, and just wanted to make the company aware of the extent of it.

This may all be true, in which case VTech got very lucky, and yes, they clearly need to ramp up their security.

But in the final analysis it’s still parents who are responsible for their kids’ safety, and it’s still up to parents to be aware of the risks of letting their kids on the Internet, and especially of putting personally identifiable information on the Internet.

If you or your child has ever registered anything through any of the VTech sites, including:


…then you should contact VTech at whichever below email address is applicable to you:

US: vtechkids@vtechkids.com
Canada: toys@vtechcanada.com
France: explora_park@vtech.com
Germany: downloadmanager@vtech.de
Netherlands: exp@vtech.com
Spain: informacion@vtech.com
UK: consumer_services@vtech.com
Australia and New Zealand: enquiriestoys_aunz@vtech.com
Hong Kong: corporate_mail@vtech.com
Other countries and regions: corporate_mail@vtech.com

And if you want to read a really detailed analysis of the VTech hack, check out Troy Hunt’s in-depth analysis of the VTech Hack.

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

Get New Internet Patrol Articles by Email!

Share the knowledge

2 thoughts on “VTech Toy Hacker Gets Personal Information of Over 6million Children

  1. I do not understand why people use thier real names and adresses.some people call me paranoid, i remind them that paranoia is the ABSENCE of a reason to fear something. When facebook sbows me ads for something i just searched for while not on facebook, i get concerned.

  2. Well written! Kudos. And I hope people follow your advice. And I hope they fix their security holes. Mind you, they DO make great phones.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.