Recorded messages spoken to teddy bears could pose privacy risks for children.
A security vulnerability allowed anyone to view personal information,
photos and recordings of children’s voices from CloudPets toys. And at
one point, some people tried to hold all of that information for ransom.
compiled by security researcher Troy Hunt, over 820,000 user accounts
were exposed. That includes 2.2 million voice recordings.
“I suspect one of the things that will shock people is that they
probably didn’t think through the fact that when you connect the teddy
bear, your kids voices are sitting on an Amazon server,” Hunt said.
CloudPets toys connect to mobile apps and let parents and loved ones
send messages to their children that are played through the stuffed
animals. When you create an account with CloudPets, you give it your
child’s name, an email address and a photo.
Like other toys that connect to the internet, CloudPets stores all that
data in the cloud, not on your smartphone itself. The toys launched in
2015, and include stuffed bears, dogs, cats and rabbits.
But as Hunt and other investigators found, kids’ information was stored
in an insecure database that didn’t require authentication to access
it. As Hunt explained to CNNTech, it takes one mistake to expose this
data — the error on the database was a bit like not having a pin on
This database was indexed by Shodan,
which is a search engine for finding insecure devices connected to the
internet. You can use it to see if popular devices (like toys) are
leaking data — you can also use it to take advantage of insecure
According to Hunt, that’s what happened. Someone deleted the data, and
posted a ransom note: CloudPets would have to give the bad actors
Bitcoin in order to get its data back. Instead, CloudPets likely
restored the data from a backup.
The data is no longer
publicly accessible. But CloudPets has not informed users of the leak,
and as far as researchers know, the passwords are still active. This
could be a violation of the law. In California, the government requires companies to notify users if their information was exposed online. CloudPets, and its maker Spiral Toys, are based in California.
It’s not the first security debacle for internet-connected toys. Hunt also discovered a flaw in VTech gadgets that leaked data on millions of parents and kids, and Germany recently told parents to trash Cayla dolls over hacking potential.
Concerned users tipped off Hunt to the CloudPets leak after their
emails to the company went unreturned. Hunt worked with reporter Lorenzo
Franceschi-Bicchierai of the tech site Motherboard to try and contact
CloudPets to report the issue, but was unsuccessful.
A CNNTech email to CloudPets was returned as undeliverable. Spiral Toys sent CNNTech a statement addressing a story about the leak reported by Franceschi-Bicchierai. The company said no messages or images were compromised.
Hunt said parents should change their passwords if they reuse the
CloudPets password anywhere else. (However, you shouldn’t reuse
passwords — here are some security tips to help keep you safe online.)
“Normally I would say get in touch with the company involved, but
CloudPets is non-responsive,” Hunt said. “I almost think the advice here
is to get in touch with local regulators and make a complaint about