Research News

VTech hack first major attack to gain access to minors’ accounts

By BERT GAMBINI

Published December 3, 2015 This content is archived.

Print
Arun Vishwanath.
“Hackers no longer just steal personal information. They are releasing that stolen personal information in the public domain. ”
Arun Vishwanath, associate professor
Department of Communication

More than 200,000 of the 5 million accounts stolen in a cyberattack on the digital toymaker VTech belonged to children, and their archived chat logs from the site could potentially be stitched together to form a comprehensive profile, information that hackers could use to open credit card accounts, according to UB cyber expert Arun Vishwanath.

“And no one would even know anything was wrong until that child applied for credit on their own later in life,” says Vishwanath, associate professor in the Department of Communication and an expert in cyber deception.

Vishwanath says this is one of the first major attacks that involves stealing information from minors, including passwords, personal photos, logins, security credentials that provide name, date of birth, a child’s gender and chat logs — information that might at a glance seem harmless, but also could contain nicknames, addresses or even embarrassing gossip.  

“Collectively that’s a lot of potentially damaging data,” he says.

But there’s another dimension to the hack, part of what Vishwanath calls a new paradigm that became reality following breaches like those at Ashley Madison and SONY Pictures Entertainment.

“Hackers no longer just steal personal information,” he says. “They are releasing that stolen personal information in the public domain.”

And Vishwanath says there’s no undoing that action. Once released, that information stays in searchable databases forever.

“That’s the scary part,” he says. “We often think about stolen information making credit cards and bank accounts vulnerable, but individuals can be targeted through other means, such as social media attacks or even selling the information that makes it easier to specifically craft attacks based on people’s lifestyles.”

The disturbing nature of the trend was seen last month when hackers released 15 gigabytes of data stolen from the crowdfunding site Patreon, including users’ names, passwords and donation records.

“Reports of organizations paying ransoms to stop similar releases, of people losing their jobs and of some even killing themselves out of embarrassment highlight the stakes involved,” he says.