Spiral Toys, the manufacturer of the SmartToy line CloudPets, left more than 800,000 customer credentials, as well as two million message recordings, totally exposed online for anyone to see and listen to. Some hackers went so far as to lock accounts and hold them for ransom.
The internet-connected Teddy Bear allows kids to communicate with far away friends and relatives without having to give them their own phone, though parents do have to download the CloudPets App to a phone or tablet to connect the bear. Messages can be sent and received from anywhere in the world. Unfortunately, the database used by Spiral Toys wasn’t behind a firewall or password protected, which made it easy to find using Shodan, a search engine that exposes unprotected websites and servers to hackers. The attack occurred between Christmas of last year and at least until the first week of January, and according to Motherboard at least two security researchers and likely malicious hackers were able to get into the system. In fact, at the beginning of January, CloudPets’ data was overwritten twice, according to researchers. (RELATED: Get all the news the media is trying to hide form you at Censored.news)
Those able to hack the system can now access more than 800,000 emails and passwords. Troy Hunt, a security researcher that analyzed the CloudsPets data, says a majority of the passwords were very weak and easy to crack. To make matters worse, Spiral Toys has yet to notify victims or disclose the breach even though it has been nearly two months since it happened. Jason Pagel, a student in a workshop that Hunt taught last week, and a father to a 6-year-old girl, found out about the breach through Hunt. “My bigger concern is that someone may be able to use this information to send inappropriate messages to my 6-year-old daughter,” Pagel told Motherboard via email. “[My parents] certainly won’t be sending any more messages to their granddaughter through this. And while I doubt we will throw the toy away, it’s effectively been reduced to a way-overpriced stuffed animal.”
This breach mirrors the concerns that caused Germany not only to ban but destroy the SmartToy “My Friend Cayla” after regulators decided that the doll posed a significant threat to the privacy of its citizens. Aside from it being exposed that the information Cayla records is sent to a company that makes voice recognition software, this toys software can be easily hacked as well. Security researcher Ken Munro from Pen Test Partners has identified some vital flaws in the software. By his account, Ken, or any hacker for that matter, can get into Cayla’s system to modify commands as well as change vocabulary. And just like CloudPets, Cayla also operates via a Bluetooth system which means strangers could potentially connect with both toys and communicate with your child.
The Consumer Privacy Project, a Washington nonprofit that advocates for consumer privacy, as well as many other privacy groups, have filed a complaint with the Federal Trade Commission about Cayla and other SmartToys. Ideally, they’d like to see the toys taken off the shelves in the United States, as they have been in Germany and some other European countries.