Smart Teddy Bear at Center of Recent Data Breach

February 28, 2017, Written By John H. Oldshue

CloudPets, a line of Internet-connected stuffed animals for children, has been breached, and more than 800,000 user emails and passwords may have been exposed.

Earlier reports that more than two million children’s voice messages were also leaked are being denied by Spiral Toys, the creator of the product line.

“Were voice recordings stolen? Absolutely not,” Mark Myers, CEO of the company, told CIO.

CloudPets stuffed animals allow parents and grandparents to record greetings via a phone app, and then send the messages to their child’s toy. Children can then record a response. The toy is marketed to working parents and grandparents so they can stay connected with their children. However, critics of the toy have stated it is dangerous to store children’s voice recordings on the web, which is similar to the criticism leveled at Hello Barbie.

While the fact of whether voice recordings were exposed is debated, it seems certain that user emails and hashed passwords were exposed, according to security researcher Troy Hunt. In a blog post, Hunt explained how he was able to verify the information and said the hackers had attempted to ransom these login credentials in January.

While the passwords were hashed, which makes them more difficult to crack, CloudPets did not have any password strength requirements. This means many users chose simple passwords, which Hunt said he was able to easily crack by comparing them to common terms.

“Anyone with the data could crack a large number of passwords, log on to accounts and pull down the voice recordings,” Hunt said.

Myers has admitted that malicious actors could obtain the voice recordings if they were able to guess the password, but has said, “We looked at it and thought it was a very minimal issue.”

CloudPets allegedly made an error when they stored user information in a publicly exposed online database that did not require a password to access, which allowed anyone to view and steal the information.

This is not the first leak of its type. Last year, VTech was hacked, and personal information, including kids’ pictures and chat logs, of 6.3 million customers was exposed.



The information contained within this article was accurate as of February 28, 2017. For up-to-date
information on any of the terms, cards or offers mentioned above, visit the issuer's website.