Skip to main content

Connected CloudPets teddy bears blab on owners, leak 2 million voice recordings

Amazon, Walmart, and Target are no longer selling CloudPets

Cloud Pets As Seen On TV Commercial

Remember when the worst thing that could happen to your doll was it losing an eye? How times have changed.

In the latest toy scandal (yes, those are a thing now), a connected teddy bear leaked the voice recordings of more than 2 million children and parents, along with email addresses and password information associated with more than 800,000 accounts. As first reported by Troy Hunt in a blog post published in late February, Spiral Toys, the company behind the CloudPets line of stuffed animals, left a whole lot of user data vulnerable to attack. Now, those toys have been pulled from a number of retailers, including Amazon, Walmart, and Target.

Amazon began taking down CloudPets from its online marketplace after being contacted by Mozilla, which offered research that highlighted the potential dangers of the child’s toy.

“In a world where data leaks are becoming more routine and products like CloudPets still sit on store shelves, I’m increasingly worried about my kids’ privacy and security,” Ashley Boyd, Mozilla’s vice president of advocacy, said in a statement.

When it comes to CloudPets, it looks like that concern is well-placed. A few months ago, Hunt explained the vulnerability, writing in his blog post, “…in CloudPets’ case…data was stored in a MongoDB that was in a publicly facing network segment without any authentication required and had been indexed by Shodan (a popular search engine for finding connected things).” So what does that mean? In essence, customer data could be easily accessed by just about anyone, and accessed it was. Hunt noted that as per data from Shodan, between December 25 and January 8, customer data was looked into many times by many people, including by malicious parties who demanded ransom for the release of some of this data.

Worse still, it would appear that CloudPets was actually warned of this problem, with Hunt noting that a good samaritan had “tried to contact CloudPets three times to warn them about the exposure.” Unfortunately, the email address listed on the company’s support page bounced back, and subsequent attempts at contact went unanswered.

Sadly, Hunt said, this kind of willful ignorance seems to be rather commonplace, particularly in the realm of cybersecurity. “Time and time again, there are extensive delays or no response at all from the very people that should be the most interested in incidents like this,” he wrote. “If you run any sort of online service whatsoever, think about what’s involved in ensuring someone can report this sort of thing to you because this whole story could have had a very different outcome otherwise.”

Updated on June 5: Amazon, Walmart, and Target pulled CloudPets from stores. 

Editors' Recommendations

Lulu Chang
Former Digital Trends Contributor
Fascinated by the effects of technology on human interaction, Lulu believes that if her parents can use your new app…
Adding AI to Alexa is the brain transplant we’ve all been waiting for
The Amazon Echo Show 8 at the Devices Event 2023.

“Alexa, turn the kitchen to cooking mode," my wife innocently requests.

“What do you mean by cooking mode?” her digital tormentor needles.

Read more
No sane person should spend $600 on a consumer-level router
The Eero 7 Max works with Wi-Fi 7.

I have, from time to time, been known to spend a little too much money on toys. (That's pronounced "tech"). I'm a firm believer in spending as much as you can in some circumstances. Can't upgrade the storage or RAM on your phone or laptop later? Max it out now. That sort of thing.

But I cannot, in good conscience, get anywhere close to convincing myself that I'd ever be able to justify spending $600 on a consumer-grade router.

Read more
Ecovacs Deebot X2 Omni boasts a new square design and improved vacuuming skills
The X2 Omni clenaing under a bed.

The Ecovacs Deebot X2 Omni was officially revealed today, showing off a bold square design, increased suction, and retractable mops so it can vacuum and mop in a single run. It’s a big step up from the old X1 Omni, and it’s a solid addition to the Deebot lineup -- which already includes the well-reviewed T20 Omni.

As one of the most expensive robot vacuums in the Deebot catalog, the X2 Omni is packed with premium features. This includes an impressive 8,000Pa of suction, two rotating mopping pads that apply pressure to the floor while in use, and improved navigation and mapping abilities thanks to a dual-laser lidar system.

Read more