CORRECTED-UPDATE 2-Toymaker VTech hit by largest-ever hack targeting kids

(Corrects quote in 4th paragraph to read "...is troubling"
instead of "...is disturbing")
By Jim Finkle
Dec 1 (Reuters) - A cyber attack on digital toymaker VTech
Holdings Ltd 0303.HK exposed the data of 6.4 million children,
the company said on Tuesday, in what experts called the largest
known hack targeting youngsters.
The Hong Kong-based firm said the attack on databases for
its Learning Lodge app store and Kid Connect messaging system
affected even more kids than the 4.9 million adults that the
company disclosed on Friday.
Security experts said they expected the size of the breach
would prompt governments to scrutinize VTech and other toymakers
to review their security.
"The disclosure of the scope of the breach is troubling,"
said Jaclyn Falkowski, a spokeswoman for Connecticut's attorney
general.
Connecticut and Illinois said on Monday they plan to
investigate the breach. Regulators in Hong Kong are also looking
into the matter.
"This breach is a parent's nightmare of epic proportions,"
said Seth Chromick, a threat analyst with network security firm
vArmour. "A different approach to security for all organizations
is needed."
Chris Wysopal, co-founder of cyber security firm Veracode,
said it could be a wake up call for families in the same way
that the hack on infidelity website Ashley Madison earlier this
year made adults realize online data might not be safe.
VTech said in a statement that children's profiles included
name, gender and birth date. Stolen adult data included name,
mailing address, email address, password retrieval questions, IP
address and passwords. (http://
The most VTech customers affected were in the United States,
followed by France, the United Kingdom, Germany, Canada, Spain,
Belgium and the Netherlands.
Shai Samet, a security expert who audits toymakers for
compliance with the U.S. government's Children's Online Privacy
Protection Act, said he believed the case would lead many toy
companies to "rethink" security protections on children's data.
Technology news site Motherboard, which broke news of the
breach last week, reported that the person who claimed
responsibility for the hack said "nothing" would be done with
the stolen information.
Security experts were skeptical, noting that the stolen data
could be worth millions of dollars.
"I wouldn't trust him," said Troy Hunt, a security expert
who reviewed samples of stolen data and information about the
attack for Motherboard.
Justin Harvey, chief security officer with Fidelis
Cybersecurity, said stolen records sell for $1 to $4 in
underground markets.