Children's technology maker VTech has become the latest company to confirm a major data breach, with it admitting the personal details of up to five million customers around the world were compromised in a hacking attack.
In a statement published last Friday (November 27th), the firm said that an "unauthorised party" had accessed its Learning Lodge app store database. Details held on the database included names, email addresses, encrypted passwords, security questions and answers, IP addresses, mailing addresses, and download histories, although VTech stressed that credit card information was not compromised.
However, it has since been claimed that these were not the only details accessed in the incident. Vice's Motherboard site reported it had spoken anonymously with the hacker, who had also found thousands of photos of children and a year's worth of chat logs that recorded communications between VTech's users and their parents, as well as several audio files reportedly of conversations between families.
The alleged hacker shared a sample of 3,832 image files with Motherboard for verification purposes, but added he does not intend to publish or sell the data.
A children's toymaker may not seem like the most obvious target for a cyber attack, but it highlights how any company that holds large amounts of customer data will be a tempting prospect for a hacker - particularly if they are viewed as a 'soft target'.
Tod Beardsley, security research manager with Rapid7, told Reuters: "VTech is a toymaker and I don't expect them to be security superstars. They are amateurs in the field of security."
Vice-president of research at security software maker Veracode Chris Eng also told the news provider that toy manufacturers tend to lack rigour when it comes to secure software development and are "inevitably going to fall short on security".
Indeed, one security expert has already suggested that the type of attack faced by VTech is one that it should have been able to defend against, if it had even the most basic protections in place.
Professor Alan Woodward, cyber security expert at Surrey University, told the BBC the firm may have been subjected to a simple hacking technique known as an SQL injection.
"If that is the case then it really is unforgivable - it is such an old attack that any standard security testing should look for it," he said.