The Learning Lodge store gives access to apps, games, e-books and other content for VTech products. Its database contains profile information on customers, including email addresses, passwords, and information on customers' children's names, birthdates and genders, VTech said. It does not, however, contain any credit card information or personal identification data such as social security or driving licence numbers, the company said.
Paul Haswell of Pinsent Masons, the law firm behind Out-Law.com, said: "This is a wake-up call for Hong Kong: the first high profile data breach suffered by a Hong Kong company that is likely to have worldwide ramifications. I hope that this will lead to an amendment of the existing data privacy laws, to include requirements to keep data more secure, and with stiffer penalties for failing to do so. A requirement to notify in the event of a data breach should also be introduced. It is also worth noting that lots of the data lost has been collected from users overseas and will be subject to international data privacy laws."
With no requirement to notify data breaches under the current Hong Kong Data Privacy Ordinance, it is "impossible to say" how frequent such breaches are in the jurisdiction, Haswell said.
"It is likely that data breaches are happening all the time, but we are simply not finding out," he said.
Haswell said: "There are unconfirmed reports that a considerable amount of data was not encrypted. Security researchers are already suggesting that VTech failed to take even basic preventative steps, with communications taking place over unencrypted connections."
The BBC reported that the US states of Connecticut and Illinois are investigating the attack, although neither state website confirms this.
Haswell said: "I expect that all US states will be under pressure from parents to take action, particularly given the great sensitivity of the information stolen: account details, names, dates-of-birth and even profile pictures. It will be interesting to see if other users worldwide consider action as well," he said.
Vice Media's 'Motherboard' site claimed that pictures of children were also accessible to hackers.
The attack took place on 14 November, the company said. VTech has "reached out" to every account holder to alert them of the breach and the potential exposure of their data, and has set up email enquiry contacts for concerned users, it said.
The Learning Lodge site and several other VTech sites have been take off line "for thorough security assessment and fortification", VTech said.