Embattled electronic and educational toy company VTech is now warning customers their encrypted passwords may have been decrypted by hackers, after the company was hit with a massive data breach last month.
In an email to customers, VTech said although passwords were encrypted, “It is possible that the hacker may have decrypted it.”
Last week, the company confirmed more than 10 million customer accounts – including 6.3 million children’s user profiles – were affected by the data breach. In Canada, over 237,000 adult profiles and over 316,000 kids profiles were affected.
Data from both parents and children was exposed after its Learning Lodge app database was hacked. The Learning Lodge app – which allows customers to download apps, games and educational content to VTech products – contained customer names, email addresses, passwords, IP addresses, mailing addresses and download histories. The database also contained kids’ profile information, including names, genders and dates of birth.
It’s also alleged the hacker also obtained children’s head shots attached to gaming profiles, as well as chat logs between kids and parents. VTech has yet to confirm these allegations, noting that its investigation is ongoing; however, the company did admit that while audio files and photos are encrypted on its system, chat logs are not.
READ MORE: Kids’ data is valuable too – children at risk of identity theft following VTech hack
But security experts allege the company did not have proper encryption protocols in place, making it even easier for hackers to decrypt them.
“So @vtechtoys don’t even understand what encryption is. Colour me surprised,” Rik Ferguson, vice president of security research at Trend Micro, tweeted Monday.
From the @vtechtoys mail today “Regarding the password you used, it was encrypted. It is possible that the hacker may have decrypted it.”
— Rik Ferguson (@rik_ferguson) December 7, 2015
According to experts, VTech failed to properly scramble customer passwords in its database. Worse yet, it stored users’ security questions and answers in plain text.
“Of course once the passwords hit the database we know they’re protected with nothing more than a straight MD5 hash which is so close to useless for anything but very strong passwords (which people rarely create), they may as well have not even bothered,” wrote security expert Troy Hunt on his blog.
“Lack of cryptographic protection for sensitive data is yet another example of where it’s all gone wrong.”
As with any hack that involves the leak of passwords, it’s important that any Learning Lodge app user change their passwords on other websites if they used the same password.
Tips for creating secure passwords
Stay away from easy-to-guess passwords like “123456″ or “password” and easy-to-guess identifiers, like your dog’s name.
Numbers included in a password should never be something easy to guess based on the user. That means your age, the current year, or your address are not good choices. Similarly, the longer the password the better.
READ MORE: How to protect yourself from security breaches on social media sites
Passwords that use up to ten upper- and lower-case letters mixed with numbers are proven to be more secure – despite being hard to remember.
One tip is to construct a password from a sentence, mix in a few upper case letters and a number – for example, “There is no place like home,” would become “tiNOplh62.”
And remember, try not to use the same password for any two accounts.