Two million voice messages recorded by parents and their children via a “smart” cuddly toy have been leaked online, according to a cybersecurity researcher.
Troy Hunt said the company behind CloudPets accidentally made a database including 800,000 customers’ login credentials and messages accessible.
Passwords were protected using an advanced security system, but there were no password rules, Hunt said. As a result, some users allegedly employed very simple passwords that were easy to crack to gain access to some messages.
CloudPets are designed to let parents and children send heartfelt messages to each other using the bear and a smartphone app.
Motherboard reported that the data was exposed from at least late December to 12 January and that hackers held it for ransom.
NetworkWorld reported the company had denied voice data was stolen.
Since publication, Spiral Toys has sent HuffPost UK a statement regarding the allegations, which has been appended to this article.
“It only takes one little mistake on behalf of the data custodian [...] and every single piece of data they hold on you and your family can be in the public domain in mere minutes,” Hunt wrote in a blog about the incident.
Ken Munro, a British security researcher, told the BBC: “If you have a CloudPets bear, switch it off.
“It might be a good idea for people to try to delete their accounts - it’s possible that the recorded data might go.
“Try to remember what password you set for the account - and if you used it anywhere else, change it.”
The news comes just days after German parents were urged to destroy their children’s “My Friend Cayla” dolls in light of fears they can reveal personal data.
Update: this article has been amended to clarify that Spiral Toys has issued the following statement about the incident:
Spiral Toys was notified about a potential breach on February 22 and took immediate and swift action to protect the privacy of our customers. When we were informed of the potential security breach we carried out an internal investigation and immediately invalidated all current customer passwords to ensure that no information could be accessed. To our best knowledge, we cannot detect any breach on our message and image data, as all data leaked was password encrypted. For the protection of our users we are now requiring users to choose new increased security passwords. An email will be sent out informing customers of the potential compromised login data and will give them a link to create a new password.
The CloudPet services have been running safely since March 2015 and we are taking all steps necessary to continue to run safely on our production servers. We are committed to protecting our customer information and their privacy in order to ensure against any such incidents in the future.
Once we have addressed our customers’ needs and we document the incident, we will file the cyber-crime report with the State Attorney General in California.
We will continue to post any updates on our website.