Remember when the worst thing that could happen to your doll was it losing an eye? How times have changed.
In the latest toy scandal (yes, those are a thing now), it would appear that a connected teddy bear has leaked the voice recordings of more than 2 million children and parents, along with email addresses and password information associated with more than 800,000 accounts. As first reported by Troy Hunt in a blog post published Tuesday, Spiral Toys, the company behind the CloudPets line of stuffed animals, left a whole lot of user data vulnerable to attack.
As Hunt wrote, “…in CloudPets’ case, that data was stored in a MongoDB that was in a publicly facing network segment without any authentication required and had been indexed by Shodan (a popular search engine for finding connected things).” So what does that mean? In essence, customer data could be easily accessed by just about anyone, and accessed it was. Hunt noted that as per data from Shodan, between December 25 and January 8, customer data was looked into many times by many people, including by malicious parties who demanded ransom for the release of some of this data.
Worse still, it would appear that CloudPets was actually warned of this problem, with Hunt noting that a good samaritan had “tried to contact CloudPets three times to warn them about the exposure.” Unfortunately, the email address listed on the company’s support page bounced back, and subsequent attempts at contact went unanswered.
Sadly, Hunt noted, this kind of willful ignorance seems to be rather commonplace, particularly in the realm of cybersecurity. “Time and time again, there are extensive delays or no response at all from the very people that should be the most interested in incidents like this,” he wrote. “If you run any sort of online service whatsoever, think about what’s involved in ensuring someone can report this sort of thing to you because this whole story could have had a very different outcome otherwise.”