The company also said the UK was the third-worst affected country worldwide. In total 4,854,209 parent accounts were accessed by hackers, with 6,368,509 children's profiles also compromised.
The breakdown for the UK saw 560,487 parent accounts and 727,155 child profiles hit by the attack. Worst affected was the United States, which had a combined five million parent and child profiles compromised, with France in second on almost two million accounts in total.
Initially the Hong Kong-based company only confirmed that approximately five million customer profiles were accessed, stopping short of revealing the number of child accounts compromised.
In response to the incident the UK's data protection regulator -- the Information Commissioner's Office -- which has the power to fine those who breach privacy laws, said it has been made aware of the incident and is "making enquiries".
The toy manufacturer has suspended its worldwide app stores since it discovered the attack. The Learning Lodge app store -- which provides downloads of apps, games, music and books for toys made by VTech -- had its database hacked on November 14.
Included in the compromised details are names, addresses, IP addresses, dates of birth, genders and secret questions and answers. It has also been claimed that 190GB of photos were downloaded by the hackers, an allegation VTech has refused to confirm. "As the investigation is on-going, we cannot confirm at this stage. However, we can confirm these images are encrypted by AES128," a statement said.
As well as the images it is purported that audio and chat logs were also downloaded by those responsible for the hack but, again, the company hasn't confirmed if this is the case.
VTech did say that audio files were encrypted whereas chat logs were not. "Kid Connect is similar to a WhatsApp service," it said in a statement. "Our security protocols require that only undelivered messages are stored temporarily in our server. These messages are set to expire in 30 days."
No payment information has been accessed, according to the company.
In its latest update VTech claims it only became aware of the stolen data when it was informed by a journalist. A subsequent investigation, started on November 24, found "irregular activity".
VTech said it then informed all of its customers of the hack before launching a more detailed investigation. "Regretfully our database was not as secure as it should have been," VTech said at the time, "Upon discovering the breach, we immediately conducted a comprehensive check of the affected site and have taken thorough actions against future attacks."
This article was originally published by WIRED UK
