Recorded messages spoken to teddy bears could be the latest target for hackers, according to a report from security researcher Troy Hunt.
CloudPets toys, the maker of electronic stuffed animals, left the personal information available for anyone to see. This included details of the child and recorded messages.
The data was indexed by Shodan, a search engine that publicizes data from insecure devices. Over 800,000 account details and 2.2 million recorded messages were available.
Hackers and data miners used the personal information for ransom, some asking the parents for Bitcoins in exchange for the data. Others may use the account details, which include the password, to hack into more valuable online accounts.
Because you can doesn’t mean you should
CloudPets has taken the personal information offline since the leak, but did not inform its customers that their information had been made available online. This is in breach of state law in California, and CloudPets may face serious charges for failure to inform its users.
Spiral Toys, the makers of CloudPets, was unavailable for comment.
“This is the perfect example of why just because you can connect a device to the Internet, it doesn’t mean you should,” said Steven Malone, Director of Security Product Management at Mimecast.
“Additionally, if you’re going to trust a company with your sensitive data – be it email, files, web traffic or in this case, highly personal content – doing so without checking the security credentials and practices of the cloud provider in question is simply asking for trouble.”
It is not the first toy company that has shown poor authentication practices, Cayla dolls in Germany were found to have serious security flaws. Hunt also found the same security flaw in VTech gadgets for kids.