Parents of children with CloudPets toy animals are warned of a data breach that reportedly allowed anyone to access the personal information of CloudPets owners — including photos and voice messages.
CloudPets are meant to enable children to communicate with traveling parents or other family members living away from home — the toys connect to mobile apps that allow messages to be sent between the child and another account holder through the toy. CloudPet account holders provide the name of their child, a photo, and an email address when they sign up.
According to CNN, a recent security report showed that over 820,000 CloudPet accounts have been exposed by a security vulnerability, including over 2.2 million voice recordings between children and their loved ones.
“I suspect one of the things that will shock people is that they probably didn’t think through the fact that when you connect the teddy bear, your kids voices are sitting on an Amazon server,” Troy Hunt, the security researcher who compiled the report, told CNN.
Indeed, the data collected through CloudPet is stored remotely, not on the devices of the account holders. Hunt and his colleagues found that for a time, the database holding the account information did not require authorization to access it. And while account passwords were protected by an algorithm, there was no security requirement — like minimum length — required for the passwords.
“Due to there being absolutely no password strength requirements whatsoever, anyone with the data could crack a large number of passwords, log on to accounts and pull down the voice recordings,” Hunt told Infosecurity Magazine.
Hunt’s report found that hackers stole some of the data from CloudPet and demanded a ransom in Bitcoin in order to return it. According to the CNN report, the researchers believe CloudPet was able to restore the stolen data in a backup, but the bad actors are presumably still in possession of it.
While the data is no longer publicly accessible, CNN reports the CloudPet never informed customers of the security breach. Hunt was first tipped off to the leak by customers who contacted him after emails to CloudPet went unreturned.
Spiral Toys CEO Mark Meyers told Forbes that the company had reviewed the CloudPet breach and found that “it was a very minimal issue.” But theoretically, anyone who accessed the account data while it was unprotected could have sent a message to a child through the toy. There are no reports of such incidents at this time.
Hunt told CNN that parents should change the passwords used to access their account.
“Normally I would say get in touch with the company involved, but CloudPets is non-responsive,” Hunt told CNN. “I almost think the advice here is to get in touch with local regulators and make a complaint about this.”
The data breach is “the realization of all fears with [Internet of Things] toys,” Hunt told Forbes.