Over the past several years, the Internet of things has added online connectivity to televisions, thermostats, refrigerators, and even children's toys. But with that increased connectivity comes an increased risk of personal information being leaked or held for ransom.
A recent report by security researcher Troy Hunt found that voice recordings and photos recorded by CloudPets toys were leaked online due to a security vulnerability. These toys connect to mobile apps, and let family members send messages to the toys via a mobile app. These messages are all stored in the cloud, in what Hunt discovered was an insecure database. "I suspect one of the things that will shock people is that they probably didn't think through the fact that when you connect the teddy bear, your kids’ voices are sitting on an Amazon server," Hunt said.
Over 820,000 user accounts, containing over 2 million voice recordings, were left exposed by the security vulnerability. Subsequently, someone used the security breach to delete all of the cloud data and demanded a ransom from CloudPets to in exchange for the data, but the company avoided paying the ransom by restoring their data from a backup. The data is no longer publicly accessible, but the company has reportedly not notified its customers of the leak or warned them to change their passwords.
CloudPets is not the only toy company to fall victim to a security breach. In 2015, personal data of 4.8 million parents and 6.4 million kids were exposed when educational toymakers VTech were hacked. Earlier this month, Germany's telecommunications regulator warned parents to destroy a My Friend Cayla doll that could be used to spy on families.