Every parent should think twice before handing out Internet-connected toys or smart toys to their children, as these creepy toys pose a different sort of danger: privacy and data security risks for kids who play with them.

This same incident was happened over a year ago when Hong Kong toymaker VTech was hacked, which exposed personal details, including snaps of parents and children and chat logs, of about 6.4 million children around the world.

Now, in the latest security failing of the internet-connected smart toys, more than 2 Million voice recordings of children and their parents have been exposed, along with email addresses and passwords for over 820,000 user accounts.

And What's even Worse? The hackers locked this data and held it for Ransom.

California-based Spiral Toys' line of internet-connected stuffed animal toys, CloudPets, which allow children and relatives to send recorded voicemails back and forth, reportedly left the voice messages recorded between parents and children and other personal data to online hackers.

Cloudpets' Data was Held for Ransom

The customer data was left unprotected from 25 December 2016 to 8 January in a publicly available database that wasn't protected by any password or a firewall, according to a blog post published Monday by Troy Hunt, creator of the breach-notification website Have I Been Pwned?.

Hunt said that the exposed data was accessed multiple times by many third parties, including hackers who accessed and stole customer emails and hashed passwords from a CloudPets database.


In fact, in early January, when cyber criminals were actively scanning the Internet for exposed or badly-configured MongoDB databases to delete their data and ultimately hold it for ransom, CloudPets' database was overwritten twice.

Toy Maker was Notified of the Breach Multiple Times

The worst part comes in when any company is notified of some issue, but it doesn't give a shit to protect its customers. Spiral Toys did the same.

The toy maker was allegedly notified four times that its customer data was online and available for anyone to have their hands on — yet the data remained up for almost a week with evidence suggesting that the data was stolen on multiple occasions.

Interestingly, the CloudPets blog hasn't been updated since 2015, and there is not any public notice about the security concerns.
"It is impossible to believe that CloudPets (or mReady, [a Romanian company which Spiral Toys appears to have contracted with to store its database]) did not know that firstly, the databases had been left publicly exposed and secondly, that malicious parties had accessed them," Hunt said.
"Obviously, they have changed the security profile of the system, and you simply could not have overlooked the fact that a ransom had been left. So both the exposed database and intrusion by those demanding the ransom must have been identified yet this story never made the headlines."
While voice recordings were not kept on the open MongoDB databases, Spiral Toys used an open Amazon-hosted service that required no authorization to store the recordings, user profile pictures, children's names, and their relations to parents, relatives, and friends.

This eventually means that anyone with malicious intent could listen to the recordings by only guessing the correct URL.

Affected? How to Check and What to Do?

This incident is perhaps something to be kept in mind the next time you are shopping for the latest internet-connected smart toy for your kid.

If you are a parent holding a CloudPets account, you are advised to check Have I Been Pwned? website, which compiles all the data from breaches and now includes users accounts stolen from Spiral Toys.

If you found your account affected, you should change your password immediately and consider disconnecting the toy from the internet.

You are also advised to change the passwords on any other online accounts for which you are using the same password as for CloudPets account.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.