CloudPets’ connected stuffed animals leaked more than 2 million voice recordings of parents and children because of their poor database security. This is only the latest compromise happening with children’s toys.
The breach was first reported on Tuesday in a blog post by Troy Hunt, a Microsoft guru who specializes in cloud and online security. Hunt informs that CloudPets’ data was saved to a MongoDB database on an Amazon-hosted service that was publicly available and required no authentication, not even a password. Hunt goes on to say that the database was filed by Shodan, a search engine known for finding connected things, and evidence shows that since December 25, 2016 the stored data had been accessed multiple times by multiple people. CloudPets’ parent company, Spiral Toys, was notified at least four times about the breach, however, Hunt explains that some attempts to contact the company failed due to dead email addresses. In any event, there is no way Spiral Toys was not aware of the leak due to evidence left from criminal ransom demands.
Although this is a wake-up call to parents, businesses can take a lot away from the CloudPets breach, explains cybersecurity expert, Vinny Troia, CEO of NightLion Security. “Many businesses have not taken cybersecurity as seriously as they should be, until it’s too late,” Troia continues, “they take shortcuts that do not properly protect them against cyber criminals, and then are floored when their system becomes compromised.” Troia goes onto to explain that today cybersecurity needs to be at the forefront of businesses’ minds or they are going to be the next Spiral Toys.
The CloudPets incident is only the most recent compromise involving IoT toys, but they are certainly not the last. Both businesses and parents need to take the proper steps to protect the user data and their children from the darker side of the cyber world.