Connected CloudPets teddy bears blab on owners, leak 2 million voice recordings

Remember when the worst thing that could happen to your doll was it losing an eye? How times have changed.

In the latest toy scandal (yes, those are a thing now), a connected teddy bear leaked the voice recordings of more than 2 million children and parents, along with email addresses and password information associated with more than 800,000 accounts. As first reported by Troy Hunt in a blog post published in late February, Spiral Toys, the company behind the CloudPets line of stuffed animals, left a whole lot of user data vulnerable to attack. Now, those toys have been pulled from a number of retailers, including Amazon, Walmart, and Target.

Amazon began taking down CloudPets from its online marketplace after being contacted by Mozilla, which offered research that highlighted the potential dangers of the child’s toy.

“In a world where data leaks are becoming more routine and products like CloudPets still sit on store shelves, I’m increasingly worried about my kids’ privacy and security,” Ashley Boyd, Mozilla’s vice president of advocacy, said in a statement.

When it comes to CloudPets, it looks like that concern is well-placed. A few months ago, Hunt explained the vulnerability, writing in his blog post, “…in CloudPets’ case…data was stored in a MongoDB that was in a publicly facing network segment without any authentication required and had been indexed by Shodan (a popular search engine for finding connected things).” So what does that mean? In essence, customer data could be easily accessed by just about anyone, and accessed it was. Hunt noted that as per data from Shodan, between December 25 and January 8, customer data was looked into many times by many people, including by malicious parties who demanded ransom for the release of some of this data.

Worse still, it would appear that CloudPets was actually warned of this problem, with Hunt noting that a good samaritan had “tried to contact CloudPets three times to warn them about the exposure.” Unfortunately, the email address listed on the company’s support page bounced back, and subsequent attempts at contact went unanswered.

Sadly, Hunt said, this kind of willful ignorance seems to be rather commonplace, particularly in the realm of cybersecurity. “Time and time again, there are extensive delays or no response at all from the very people that should be the most interested in incidents like this,” he wrote. “If you run any sort of online service whatsoever, think about what’s involved in ensuring someone can report this sort of thing to you because this whole story could have had a very different outcome otherwise.”

Updated on June 5: Amazon, Walmart, and Target pulled CloudPets from stores.