A company that sells “smart” teddy bears leaked 800,000 user account credentials—and then hackers locked it and held it for ransom.
UPDATE, Feb. 28, 12:25 p.m. ET: After this story was published, a security researcher revealed that the stuffed animals themselves could easily be hacked and turned into spy devices.
A company that sells internet-connected teddy bears that allow kids and their far-away parents to exchange heartfelt messages left more than 800,000 customer credentials, as well as two million message recordings, totally exposed online for anyone to see and listen.
Since Christmas day of last year and at least until the first week of January, Spiral Toys left customer data of its CloudPets brand on a database that wasn't behind a firewall or password-protected. The MongoDB was easy to find using Shodan, a search engine makes it easy to find unprotected websites and servers, according to several security researchers who found and inspected the data.
The exposed data included more than 800,000 emails and passwords, which are secured with the strong, and thus supposedly harder to crack, hashing function bcrypt. Unfortunately, however, a large number of these passwords were so weak that it's possible to crack them, according to Troy Hunt, a security researcher who maintains Have I Been Pwned and has analyzed the CloudPets data.
During the time the data was exposed, at least two security researchers, and likely malicious hackers, got their hands on it. In fact, at the beginning of January, during the time several cybercriminals were actively scanning the internet for exposed MongoDB's databases to delete their data and hold it for ransom, CloudPets' data was overwritten twice, according to researchers.
Two researchers warned Motherboard of this security breach independently in the last few weeks. With their help, Motherboard was able to verify that the breach was legitimate.
As we've seen time and time again in the last couple of years, so-called "smart" devices connected to the internet—what is popularly known as the Internet of Things or IoT—are often left insecure or are easily hackable, and often leak sensitive data. There will be a time when IoT developers and manufacturers learn the lesson and make secure by default devices, but that time hasn't come yet. So if you are a parent who doesn't want your loving messages with your kids leaked online, you might want to buy a good old fashioned teddy bear that doesn't connect to a remote, insecure server.
"It only takes one little mistake on behalf of the data custodian [...] and every single piece of data they hold on you and your family can be in the public domain in mere minutes," Hunt wrote in a blog post about the incident. "If you're fine with your kids' recordings ending up in unexpected places then sobeit, but that's the assumption you have to work on because there's a very real chance it'll happen."
News of the breach of CloudPets comes just a few days after Germany warned parents that an internet-connected doll could spy on their children and forced it out of the stores. This is also the latest in a growing string of embarrassing security incidents for toymakers, the worst one being that of Hong Kong-based VTech, which lost the personal data of 6.3 millions children and 4,854,209 parents, including selfies they took and private chats they had.
Spiral Toys, which appears to be based in California, could not be reached for comment. Multiple emails to different addresses were not answered, and no one from the company answered an of the phone numbers associated with them. The company appears to be in financial trouble and might be going bankrupt, given that its stock value is around zero.
The CloudPets database is making the rounds in the internet underground, according to both Hunt and Victor Gevers, the chairman of the non-profit GDI Foundation which discloses security issues to affected victims. Gevers saw the database while it was exposed online at the end of last year, and said it contained data on 821,396 registered users, 371,970 friend records (profile and email) and 2,182,337 voice messages.
The voice messages themselves were not in the database, according to the researchers. But Hunt found out that they were stored in an Amazon S3 bucket that doesn't require authentication. So as long as hackers could guess the URL of the files, they could listen to the messages. Hunt said he believes that was definitely possible. Moreover, many customers used incredibly weak passwords such as 123456 or "cloudpets," (in part probably because the app allowed users to create accounts even with as short a password as "qwe," as this video shows), making it trivial to log into their accounts and listen to the saved messages.
To make matters worse, the data was exposed two months ago, and since then, the company hasn't notified the victims, nor disclosed the breach.
"They were very irresponsible."
"They were very irresponsible because they had to know about this. I have been ringing so many doorbells," Gevers told Motherboard. "People make mistakes. It's the action that follows up which defines your character. Handling serious data leaks like this proves a lack of the right personality and then you should not be in this industry or in any in which you are responsible for such data."
Gevers said he found the database online in late December and tried to alert the company of the risks of leaving such data exposed online. However, he couldn't get any answer from CloudPets nor its parent company Spiral Toys. Eventually, hackers wiped the open database as part of widespread ransom attacks on open databases on January 12, according to Gevers.
"I have been trying to reach through email, Linkedin, Zendesk, Twitter," Gevers told Motherboard in an online chat. "I even tried to reach the people via the private email. Never got a response."
Jason Pagel, a student in a workshop that Hunt taught last week and a father to a 6-year-old girl, found out about the breach thanks to Hunt, and was appalled by the leak.
"My bigger concern is that someone may be able to use this information to send inappropriate messages to my 6 year old daughter," pagel told Motherboard via email. "[My parents] certainly won't be sending any more messages to their granddaughter through this. And while I doubt we will throw the toy away, it's effectively been reduced to a way overpriced stuffed animal."
Get six of our favorite Motherboard stories every day by signing up for our newsletter .