VTech children's data breach

On 27 November 2015, the Hong Kong-based educational-toy maker VTech Holdings confirmed that an attacker had broken into the database behind its Learning Lodge app store and Kid Connect messaging service, exposing the personal data of 6.4 million children and nearly 5 million parent accounts. It was, at the time, the largest known breach to specifically target data about minors.

What happened

VTech sells internet-connected tablets and toys for young children. Its Learning Lodge portal let parents download apps, e-books, and games, while Kid Connect allowed children to chat with parent-approved contacts. The back-end database holding these accounts was protected by weak web-application security.

An attacker — who later spoke to Motherboard and provided the data to a journalist rather than selling it — used a SQL-injection attack to reach the Learning Lodge database. SQL injection is a decades-old, well-understood flaw; VTech had failed to sanitize user input, allowing the intruder to query the database directly. The company also transmitted data over unencrypted connections and stored passwords as unsalted MD5 hashes, with security questions and answers kept in plain text.

Impact

6,368,509 children's profiles were exposed, containing names, genders, and dates of birth. Some accounts included profile photos, chat logs, and audio recordings from Kid Connect.
About 4.85 million parent accounts were compromised, exposing names, email addresses, mailing addresses, password hashes, and security questions.
The most-affected countries were the United States (≈2.9 million children), France (≈1.17 million), and the United Kingdom (≈727,000).
In December 2015, British police arrested a 21-year-old in Bracknell, England, in connection with the intrusion.
In January 2018, VTech settled with the U.S. Federal Trade Commission for $650,000, the FTC's first enforcement action involving an internet-connected toy. The agency found VTech had violated the Children's Online Privacy Protection Act (COPPA) by collecting children's data without adequate parental notice and consent, and the FTC Act by failing to secure it.

Why it matters

The VTech breach reframed children's data as a first-class security concern. Unlike credit-card or credential leaks, much of what was exposed — birth dates, photos, voice recordings, parent-child relationships — is immutable and uniquely sensitive for minors, creating long-lived risks for identity fraud and targeting.

It also exposed how lightly some consumer-IoT vendors treated security: a textbook SQL-injection flaw, unencrypted transport, and weak password hashing in a product aimed squarely at children. The FTC's COPPA settlement signaled that regulators would hold connected-toy makers to the same data-protection standards as any other custodian of sensitive personal information, and the case remains a foundational reference for kids' privacy and IoT security discussions.

Timeline

November 14, 2015

An attacker exploits a SQL-injection flaw in VTech's Learning Lodge app store database and exfiltrates customer and child-profile records.

November 24, 2015

VTech discovers the unauthorized access to its Learning Lodge database.

November 27, 2015

VTech publicly confirms the breach after being contacted by a journalist who received the leaked data from the hacker.

December 1, 2015

VTech reveals the breach affected 6.4 million children's profiles and roughly 4.9 million parent accounts worldwide.

December 15, 2015

British police arrest a 21-year-old in Bracknell, England, in connection with the breach.

January 8, 2018

VTech settles with the U.S. FTC for $650,000 over COPPA and FTC Act violations — the agency's first connected-toy enforcement action.

Sources

ftc.govhttps://www.ftc.gov/news-events/news/press-releases/2018/01/electronic-toy-maker-vtech-settles-ftc-allegations-it-violated-childrens-privacy-law-ftc-act

washingtonpost.comhttps://www.washingtonpost.com/news/the-switch/wp/2015/12/01/vtech-says-6-4-million-children-were-caught-up-in-its-data-breach/

cnbc.comhttps://www.cnbc.com/2015/12/02/vtech-hack-data-of-64m-kids-exposed.html

nbcnews.comhttps://www.nbcnews.com/tech/security/vtech-hack-exposes-6-4-million-childrens-profiles-n472011

Related incidents

Supply chainContainedJuly 2, 2021

Kaseya VSA supply-chain ransomware (REvil)

REvil affiliates exploited a SQL injection zero-day in Kaseya's VSA remote-management platform to push ransomware to ~60 MSPs and through them to ~1,500 downstream organisations. The largest supply-chain ransomware attack on record.

Victim: Kaseya VSA customers (~60 MSPs, ~1,500 downstream organisations)
Loss: $200.0M

Vulnerability exploitOngoingJune 10, 2026

Max-severity Ivanti Sentry flaw exploited for root code execution (CVE-2026-10520)

Ivanti patched a maximum-severity unauthenticated command-injection flaw in its Sentry mobile gateway that gives attackers root-level remote code execution, and within days real-world exploitation followed a public proof-of-concept, prompting CISA to add it to its Known Exploited Vulnerabilities catalog.

Victim: Ivanti Sentry

Vulnerability exploitContainedJune 9, 2026

ServiceNow discloses unauthenticated API flaw that let attackers query customer instance data

ServiceNow disclosed that a misconfigured, unauthenticated REST API endpoint allowed actors to query data from hosted customer instances, an issue the company patched on 5 June but did not publish a (login-gated) advisory for until days later.

Victim: ServiceNow

Vulnerability exploitContainedJune 8, 2026

Meta Instagram 'High Touch Support' account-takeover breach (2026)

Attackers abused a verification flaw in Meta's AI-assisted Instagram account-recovery tool, High Touch Support, to trigger password resets and hijack 20,225 accounts before Meta detected and disabled the tool.

Victim: Meta Platforms (Instagram)