Two million voice messages recorded by parents and their children via a “smart” cuddly toy have been leaked online, according to a cybersecurity researcher.
Troy Hunt said the company behind CloudPets accidentally made a database including 800,000 customers’ login credentials and messages publicly accessible.
Passwords were protected using an advanced security system, but there were no password rules, Hunt said. As a result, some users allegedly employed very simple passwords which were easy to crack.
CloudPets are designed to let parents and children send heartfelt messages to each other using the bear and a smartphone app.
Motherboard reported that the data was exposed from at least late December to 12 January and that hackers held it for ransom.
At the time of publication, the company behind the toys, Spiral Toys, had not responded to HuffPost UK’s request for comment.
“It only takes one little mistake on behalf of the data custodian [...] and every single piece of data they hold on you and your family can be in the public domain in mere minutes,” Hunt wrote in a blog about the incident.
Ken Munro, a British security researcher, told the BBC: “If you have a CloudPets bear, switch it off.
“It might be a good idea for people to try to delete their accounts - it’s possible that the recorded data might go.
“Try to remember what password you set for the account - and if you used it anywhere else, change it.”
The news comes just days after German parents were urged to destroy their children’s “My Friend Cayla” dolls in light of fears they can reveal personal data.
-- This feed and its contents are the property of The Huffington Post, and use is subject to our terms. It may be used for personal consumption, but may not be distributed on a website.