Toy maker hack exposes data of 5 million – including personal info of children

The personal information of about 5 million people – including the photos and profiles of more than 200,000 children – has been exposed following a hack of the electronic toy maker VTech.

VTech confirmed the data breach of its Learning Lodge online portal Friday. Customers use Learning Lodge to download apps, learning games and e-books to VTech products such as learning tablets. VTech customers also use Learning Lodge to register accounts, both for themselves and their children.

The Hong Kong-based company noted that “an unauthorized party” accessed VTech customer data on the Learning Lodge app store database Nov. 14.

Related: Here's how much your stolen data is worth on the Dark Web

VTech confirmed Monday that the database contains user profile information including name, email address, password, secret question and answer for password retrieval, IP address, mailing address and download history. The database also stores kids’ information, including names, genders and birthdates. VTech says that about 5 million customer accounts and related childrens’ profiles worldwide are affected by the breach.

Citing the hacker who claimed responsibility for the hack, Motherboard reports that the personal data of more than 200,000 children has been exposed. The hacker, who asked to remain anonymous and has no plans to exploit the data, also told Motherboard that sensitive information, such as kids’ photos and chatlogs between parents and children, was left exposed on VTech servers.

Security expert Graham Cluley warns that the breach underlines the need for parents to think seriously about how their childrens’ data is shared. “Clearly manufacturers should be taking greater care over data security and privacy, but parents should also be more careful with their children's personal information,” he explained in an email to “For instance, does an early learning device really need to be told your child's real date of birth?  Always think carefully about the information you share.”

Related: Stop stores and airports from tracking your movements

VTech has reached out to every account holder in the database, via email, to alert them of the breach and the potential exposure of their account data. The firm also reiterated Monday that its customer database does not contain any credit card information or personal identification data such as ID card numbers, Social Security numbers or driver's license numbers.

VTech has temporarily suspended its Learning Lodge website following the breach. The company has not yet responded to a request for comment on this story from

Other toys also are in the security spotlight at the moment. A security researcher recently warned that the Wi-Fi-enabled Hello Barbie is vulnerable to hackers and could be used to spy on children. ToyTalk, which worked with Mattel to create Hello Barbie, downplayed the claim in a Tumblr post Thursday.

A spokeswoman for Mattel told that the toy manufacturer and ToyTalk have taken numerous steps to ensure Hello Barbie meets security and safety protocols.

"Reports have claimed that Hello Barbie has been 'hacked.' It is important to note that in all claims we know about, no children’s audio files were accessed, no passwords were compromised, no personal information was disclosed and no dolls were made to say anything unintended," she said, in an emailed statement. "Mattel and ToyTalk built in many privacy and security measures and are committed to providing the safest possible experience
for parents and their children."

Follow James Rogers on Twitter @jamesjrogers