The data of over 800,000 smart teddy bears has been exposed. Spiral Toys, the company behind CloudPets smart teddy bears, has left over two million individual recordings unprotected on its private server.
The credentials of the exposed recordings were stored in a MongoDB database that was easily searchable using Shodan tool. Further, the voice recordings themselves were stored in an unsecured Amazon S3 bucket.
Spiral Toys used a hashing function called bcrypt to protect the sensitive data. However, the same function is often in use by many open source platforms.
While the system was already vulnerable, many users had set weak passwords that even failed the additional security measures used in CloudPets teddy bears.
“They [parents] do not necessarily realise that every one of those recordings — those intimate, heartfelt, extremely personal recordings — between a parent and their child is stored as an audio file on the web,” security researcher Troy Hunt, who spotted the vulnerability, wrote in a detailed post.
Cybersecurity experts believe that the backend database of CloudPets was overwritten twice since the start of January this year. This suggests some previous hack attempts.
This is not the first time when Internet of Things (IoT) has made toys vulnerable. Toymaker company VTech faced a massive cyberattack last year. The breach affected millions of parents and children.
Germany had also recently banned IoT-backed doll Cayla due to concerns of some similar attacks. The German telecommunications watchdog had issued an advisory to parents to destroy the IoT dolls and abandon their fresh purchases.