Millions of personalized audio messages meant only to be heard by parents and their children were publicly exposed on the internet, hacked and held for ransom, a prominent security researcher reported this week.
Spiral Toys, the maker of CloudPets, notified the California Attorney General’s office Tuesday of a recent data breach affecting owners of its high-tech brand of teddy bears after it was reported that poor security practices on the company’s part had caused hundreds of thousands of user accounts to become compromised.
CloudPets uses Wi-Fi and Bluetooth technology to broadcast audio messages in the form of a fluffy animal. Owners are instructed to record greetings with an iOS or Android app which are sent over the internet, downloaded by a device near the toy and then transmitted wirelessly to a speaker within.
“When the CloudPet has a message, its heart blinks. When your child squeezes its paw, the message plays,” its website states.
Spiral Toys advertises that owners of the toy can “send [and] receive messages you can hug from anywhere in the world.” According to a report this week, however, those messages and other personal data were stored on a publicly accessible database that lacked rudimentary security safeguards and was subsequently breached repeatedly within the last few weeks.
Troy Hunt, a former systems architect for Pfizer and a recipient of Microsoft’s Most Valuable Professional reward, disclosed the issue in a blog post Monday. Multiple individuals had tried to notify Spiral Toys since late last year about its unsecured database to no avail, he reported, and the compromised files have since been discovered online by multiple parties and indexed by search engines.
“CloudPets left their database exposed publicly to the web without so much as a password to protect it,” he wrote Monday.
As a result of the unsecured database, anyone looking in the right spot would have been able to easily access several gigabytes worth of data pertaining to over 820,000 user accounts, including profile pictures as well as nearly 2.2 million voice recordings, Mr. Hunt reported.
An examination of the database indicates user data was repeatedly accessed by hackers and even held for ransom before ultimately being deleted, Mr. Hunt reported.
“It only takes one little mistake on behalf of the data custodian — such as misconfiguring the database security — and every single piece of data they hold on you and your family can be in the public domain in mere minutes. If you’re fine with your kids’ recordings ending up in unexpected places then sobeit, but that’s the assumption you have to work on because there’s a very real chance it’ll happen.
Spiral Toys downplayed the researcher’s findings in an interview with Network World on Monday, with CEO Mark Meyers going as far as to say that 2 million messages was leaked is “completely false.”
“Were voice recordings stolen? Absolutely not,” he insisted.
Spiral Toys intends to contact its customers who registered their products with email addresses — about 500,000 users, by its own account — and inform them of the breach, the company said in a filing with the California Attorney General’s Office on Tuesday.
“Once we have addressed our customer needs and document the incident we will file the cyber crime with the State Attorney General in California,” the statement said, as mandated by the state’s data breach reporting law.