Sloppy data security practices at a toy company that sells a line of internet-connected stuffed animals has exposed the personal information of more than 800,000 customers, and some 2 million voice recordings ― many of them from children.
The toy animals, manufactured by CloudPets, have the ability to store and replay voice messages sent to them via the internet. Ideally, that means traveling parents ― for instance, a deployed military member ― could send a heartfelt message to their child’s teddy bear at home, to be replayed when their child interacts with the bear:
But since at least Christmas Day of last year, information on the CloudPets server ― including customers’ login and password information and voice recordings ― was stored in an exposed database easily accessible to anyone on the internet who knew where to look.
Online security expert Troy Hunt is one of the first to have noticed the issue. He and several others attempted to alert CloudPets to the security oversight numerous times, yet never heard back.
CloudPets also did not respond to a request for comment from The Huffington Post.
With a little sleuthing, and some help from CloudPets users willing to serve as guinea pigs, Hunt tracked down some surprisingly personal information on the CloudPets servers. Kids’ names, birthdays (minus the year) and their relationship with authorized users (i.e., parents, grandparents, friends, etc.) were all accessible.
So, too, were audio clips on the toys themselves. Hunt, who only accessed the information after obtaining permission from CloudPets users, describes on his website:
One little girl who sounded about the same age as my own 4-year-old daughter left a message to her parents: Hello mommy and daddy, I love you so much.
Another one has her singing a short song, others have precisely the sorts of messages you’d expect a young child to share with her parents. I didn’t download either pictures or recordings from other parties, only those I was specifically granted access to by HIBP subscribers, but the risk was clear.
It’s also entirely possible a hacker could use that information to push messages to the toys themselves.
The below video below ― which a Twitter user who goes by MisterZoomer told The Huffington Post his wife filmed as a lighthearted prank ― is a terrifying example of what’s actually possible with the technology:
“Parents need to work on the assumption that if they have a CloudPet, multiple unauthorized parties could have accessed their voice recordings,” Hunt told The Huffington Post in an email. “Because the service is still online today and account details were also leaked, those recordings could still potentially be accessed today.”
Those recordings don’t necessarily present a security threat in and of themselves, Hunt said, but parents should certainly be aware of what’s out there. And CloudPet users should be sure to change their passwords, especially if they’ve reused them for other internet accounts.
“Many of the same problems are present we have in other data breaches: email addresses could be used for spam or phishing, and reused passwords could be used to exploit other accounts,” added Hunt. “There’s little practical value for children’s voice recordings, but of course as parents we’d feel very uneasy knowing that other people could have them.”
The main takeaway? Think twice before you welcome any internet-connected device into your home, particularly ones that children may interact with on a regular basis.
“The bigger picture here is to think very carefully before giving a child a connected device like this,” Hunt concluded. “By all means, get them involved early with computers and responsible internet use, but in my view connected toys like this pose too great a risk.”
Hackers haven’t just accessed the data, according to Hunt. He says there’s clear evidence cybercriminals have held the database for ransom, at least twice, demanding money from the company in exchange for the data’s safe return.
The database was no longer publicly accessible as of Jan. 13, Hunt said, but anyone who obtained the data while it was live could still use it for nefarious purposes, including accessing a victim’s account.
“This service ― and the files ― really need to be taken offline ASAP until everything can be properly secured,” Hunt said.