Account information on 800,000 CloudPets users was left unprotected on the internet, as well as 2.2 million voice recordings sent between children and their loved ones, according to reports. In the case of CloudPets, owned by SpiralToys, it wasn't the cute and huggable smart stuffed toys hackers were hugging, but the data. The parent or child speaks into a microphone inside the toy, which uses a Bluetooth interface to upload the recording to cloud storage via an Android or iOS smartphone app tied to an account. The leak was announced on February 27 and it drew the attention of several security researchers who argued that due to this glitch, hackers may have been granted access to users' recordings.
Numerous passwords for the CloudPets accounts were easily crackable because no rules for password strength were enforced, meaning they could be just one character long.
Those recordings don't necessarily present a security threat in and of themselves, Hunt said, but parents should certainly be aware of what's out there. After advising a password reset, Hunt asked for his original CloudPets password. However, connected toys pose certain privacy and security risks that, if exploited, could have lifelong impacts for affected children.
With a little sleuthing, and some help from CloudPets users willing to serve as guinea pigs, Hunt tracked down some surprisingly personal information on the CloudPets servers.
But as Hunt and other investigators found, kids' information was stored in an insecure database that didn't require authentication to access it. Anyone who saw the data could download a child's CloudPet audio files, and there was no way of telling how many people had done that at this point, according to Hunt.
It's all very innocent and cute, until you fast forward to December of a year ago when the CloudPets database started leaking private information like a sieve.
The breach was first reported in a blog post from Troy Hunt, a Microsoft regional director, on Tuesday.
He noted that California, where Spiral Toys is based, requires companies to notify users in the case of a data breach, which includes the disclosure of email addresses and passwords that permit access to an online account.
Top US, Chinese diplomats meet to discuss relationship
He added that Yang also "had an opportunity to say hi to the President before he left". He said that a delegation of six people had arrived from Beijing to Washington.
Connected toys have been hacked with childrens' voice recordings leaked and attackers leaving ransom notes in the targeted database - but the company behind the stuffed animals has refused to admit it's done anything wrong.
Equally troubling, Stone says he'd spent five months attempting to report the issue to Spiral Toys, however he's received no response.
The latest cautionary tale comes from CloudPets, a company that makes cute bears and dogs that can pass voice messages between kids and their parents.
Smart devices are proliferating, many of them through crowdfunded efforts or new startup business ventures. "We have to find a balance", he said, referring to the need to weigh security against ease-of-use. Rather shockingly, he added: "We looked at it and thought it was a very minimal issue".
Victor Gevers, who is a security researcher at the GDI Foundation, claimed that he also revealed the breach from CloudPets and attempted to contact the company last December.
The main takeaway? Think twice before you welcome any internet-connected device into your home, particularly ones that children may interact with on a regular basis.