If you thought the cyberattack on childrens’ technology firm VTech couldn’t get any worse, it just did.
Motherboard reports that the hacker who obtained personal data on almost 5 million parents and more than 200,000 children also took hundreds of gigabytes worth of profile photos, audio files, and chat logs — many of which belong to children.
Tens of thousands of pictures — many blank or duplicates — were thought to have been taken from from Kid Connect, an app that allows parents to use a smartphone app to talk to their children through a VTech tablet.
Motherboard was able to verify a portion of the images, and the chat logs, which date as far back as late-2014.
Details about the intrusion are not fully known yet. The hacker, who for now remains nameless, told Motherboard that the Hong Kong-based company “left other sensitive data exposed on its servers.”
The important question is why the data was stored on VTech’s servers in the first place.
VTech did not immediately respond to a request for comment. (If that changes, we will update the piece).
The company confirmed the breach earlier on Monday, adding that it suspended various app stores and websites.
While the data stolen doesn’t include credit card and Social Security information, some have begun to question why so much data and information was not only collected but also stored in an insecure way.
“Don’t collect data because it might be useful at some point,” said Mark Nunnikhoven, vice-president of security firm Trend Micro, said in a LinkedIn post on Monday. “This opens the organizations up to unnecessary risk.”
Nunnikhoven previously criticized the company for its “unacceptable” response by acting after it was informed by reporters of the hack.
Troy Hunt, a Microsoft MVP for developer security and founder of breach notification website Have I Been Pwned, who helped Motherboard to confirm the breach, said the attack pushes the number of accounts in his database past the quarter-billion mark.