In case you didn't know, cloud connected children toys are a thing and hackers are having a field day with them. CloudPets from Spiral Toys has gone into a death spiral after their databases were hacked, leaked, and then ransomed online multiple times. According to an investigation by security expert Troy Hunt, the leaked data contained children's voice messages as well as account details. He discovered these files were just sitting exposed online waiting for hackers to get to them.
The plush toy records and then plays back audio messages between parents and their kids using a mobile app. This commercial gives a good idea of its intended use. Right away this brings up some security concerns about how a child's voice is stored and transmitted over the cloud. Security isn't something that the average parent would think about when purchasing a toy, and something CloudPets certainly didn't think about either. Hunt discovered that "CloudPets left their database exposed publicly to the web without so much as a password to protect it."
After a simple investigation, he was able to discover and access hundreds of thousands of user accounts and over 2 million voice recordings. The toy company implemented no password security protocols, meaning he was also able to crack many of the passwords in a very short time. It gets worse though. The company had been warned at least 4 times of the vulnerability, dating back to December of 2016, and they did nothing.
Concerned parents can search their email address here to see if they were impacted.
Spiral Toys' stock has taken a nosedive although it was already selling for less than a penny per share. If you or anyone you know has a CloudPets device, you should change your password at the very least and make sure that same password is not used on other online account.