Smart teddy bears involved in a contentious data breach

The toy maker experienced a serious data breach, say security researchers, but the company denies that any voice recordings were stolen

If you own a stuffed animal from CloudPets, then you better change your password to the product. The toys -- which can receive and send voice messages from children and parents -- have been involved in a data breach dealing with more than 800,000 user accounts.

The breach, which grabbed headlines on Monday, is drawing concerns from security researchers because it may have given hackers access to voice recordings from the toy's customers. But the company behind the products, Spiral Toys, is denying that any customers were hacked.

"Were voice recordings stolen? Absolutely not," said Mark Meyers, CEO of the company.

Security researcher Troy Hunt, who tracks data breaches, brought the incident to light on Monday. Hackers appear to have accessed an exposed CloudPets' database, which contained email addresses and hashed passwords, and they even sought to ransom the information back in January, he said in a blog post.

The incident underscores the danger with connected devices, including toys, and how data passing through them can be exposed, he added.

In the case of CloudPets, the brand allegedly made the mistake of storing the customer information in a publicly exposed online MongoDB database that required no authentication to access. That allowed anyone, including hackers, to view and steal the data.

On the plus side, the passwords exposed in the breach are hashed with the bcrypt algorithm, making them difficult to crack. Unfortunately, CloudPets placed no requirement on password strength, meaning that even a single character such as letter "a" was acceptable, according to Hunt, who was given a copy of the stolen data last week.

As a result, Hunt was able to decipher a large number of the passwords, by simply checking them against common terms such as qwerty, 123456, and cloudpets.

"Anyone with the data could crack a large number of passwords, log on to accounts and pull down the voice recordings," Hunt said in his blog post.

Security researcher Victor Gevers from the GDI Foundation said he also discovered the exposed database from CloudPets and tried to contact the toy maker in late December.

However, both Gevers and Hunt said the company never responded to their repeated warnings.

On Monday, California-based Spiral Toys, which operates the CloudPets brand, claimed the company never received the warnings.

"The headlines that say 2 million messages were leaked on the internet are completely false," Meyers said.

His company only became aware of the issue after a reporter from Vice Media contacted them last week. "We looked at it and thought it was a very minimal issue," he said.

A malicious actor would only be able to access a customer's voice recording if they managed to guess the password, he said.

"We have to find a balance," Meyers said, when he addressed the toy maker's lack of password strength requirements. "How much is too much?"

He also said that Spiral Toys had outsourced its server management to a third-party vendor. In January, the company implemented changes MongoDB requested to increase the server's security.

Spiral Toys hasn’t been the only company targeted. In recent months, several hacking groups have been attacking thousands of publicly exposed MongoDB databases. They’ve done so by erasing the data, and then saying they can restore it, but only if victims pay a ransom fee.

In the CloudPets incident, different hackers appear to have deleted the original databases, but left ransom notes on the exposed systems, Hunt said.

Although the CloudPets’ databases are no longer publicly accessible, it appears that the toy maker hasn’t notified customers about the breach, Hunt said. The danger is that hackers might be using the stolen information to break into customer accounts registered with the toys.

But Meyers said the company found no evidence that any hackers broke into customer accounts. To protect its users, the company is planning on a password reset for all users. "Maybe our solution is to put more complex passwords," he said.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Michael Kan

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?