On 14 November 2015, a hacker breached VTech’s Learning Lodge — the app store and content platform for the company’s range of children’s electronic learning tablets and toys. VTech is a major Hong Kong-based manufacturer of electronic learning products for children. The breach exposed data for approximately 11.6 million parent accounts and 6.4 million child profiles — totalling approximately 18 million accounts. This was the fifth largest consumer data breach at that time. Parent data included names, email addresses, passwords (MD5 hashed), secret questions/answers, IP addresses, mailing addresses, download histories, and encrypted payment card data. Child data included names, genders, dates of birth, and photos/headshots uploaded by parents for child profiles. In some cases, chat logs and photos transmitted through the Kid Connect messaging system were also accessible. The hacker who discovered the breach contacted Motherboard journalist Lorenzo Franceschi-Bicchierai and then security researcher Troy Hunt, who confirmed the authenticity of the data. VTech disclosed the breach on 24 November 2015. The US FTC and UK ICO opened investigations. VTech settled with the FTC in 2018 for $650,000 — the first FTC case involving a connected children’s toy company — for violating COPPA (Children’s Online Privacy Protection Act) by collecting personal information from children under 13 without parental consent.