Categories: Security

Millions of Kids’ Conversations Leaked Due to Teddy Bears

Recently, CloudPets’ database was hacked, and more than half a million people had their data leaked. CloudPets is a company that sells stuffed animals that are connected to the Internet of Things. Their stuffed animals can connect to an app via Bluetooth to allow parents to record audio messages or else play pre-recorded messages through the stuffed animal. While this could make a child’s toy more fun and interactive, these messages unfortunately weren’t securely stored in CloudPets’ database, along with the rest of their customers’ account information. If a major company’s database can be breached, it’s possible for hackers to access data on any of your devices, including your smartphone. DFNDR’s Advanced Protection feature ensures that even if hackers gain access to your phone, virtually or physically, they will not be able to uninstall DFNDR and your data will remain safe. Click here to activate Advanced Protection:

The CouldPets data leak included profile pictures, email addresses, passwords, and voice recordings. More than two million voice recordings of children and adults were released. Those who had their data leaked never received a notification of the leak. Cloudpets’ user data was more vulnerable largely due to weak user passwords and poor database security. They allowed users to create passwords with one letter, such as “a,” for example. This allowed users’ passwords to be easily guessed, which compromised their accounts.

How Was the Data Breach Revealed?

Troy Hunt, who runs a breach notification website, revealed that the database was publicly accessible, meaning that it wasn’t password-protected or hidden behind a firewall. According to Hunt, the data was traded online as early as last year, and often held for ransom. He had attempted to warn CloudPets of this data breach, without success. However, after CloudPets was notified of the breach — even though they did not publicly acknowledge the breach or inform users that their data was compromised — their original database was deleted. Shortly after, none of their databases were publicly accessible.

Internet of Things Devices Often Have Weak Security

This isn’t the first time that IoT-connected toys were hacked. In 2015, for example, VTech experienced a large data breach that revealed personal information of more than five million adults and 200,000 kids. Shortly after, a Barbie doll by Mattel was found to be easily hackable. The doll could be used to record conversations in real-time.

In addition to companies improving their database security, incidents like this could be prevented in the future if users follow safe online practices. This includes creating stronger passwords, using two-factor authentication when possible, and exercising caution when using IoT-connected devices. Many IoT devices, in general, are insecure; you should share as little data with them as possible, or neglect using IoT-connected toys all together until security is improved. Further, make sure that your router is a newer model that receives frequent security patches and updates.

PSafe Newsroom

The dfndr blog is an informative channel that presents exclusive content on security and privacy in the mobile and business world, with tips to keep users protected. Populated by a select group of expert reporters, the channel has a partnership with dfndr lab's security team. Together they bring you, first-notice news about attacks, scams, internet vulnerabilities, malware and everything affecting cybersecurity.