A firm that sells internet-connected smart stuffed toys, which allows children and their parents to communicate via voice messages, reportedly left over 800,000 user accounts' data exposed.
The data leak also saw over 2 million recordings of children and parents completely exposed online. Spiral Toys' line of connected stuffed toys, CloudPets, reportedly left the data unprotected from 25 December 2016 to around 8 January.
The leak reportedly involves email addresses and passwords of hundreds of thousands of users exposed in a publicly accessible MongoDB database, which was not password protected, according to security researcher Troy Hunt.
Hunt said the leaked data was accessed multiple times by different parties, including hackers who later held the data for ransom. He claimed that the MongoDB database was fairly easy to find using Shodan.
According to security researcher Niall Merrgian, who has been tracking MongoDB attacks since they first began in January, two of CloudPets orginal databases were deleted by 7 January.
Hunt said that repeated attempts to contact CloudPets via various channels, including its hosting provider, did not yield him a response from the smart toy maker. However, by 13 January, Shodan reported that none of CloudPets' databases were found to be publicly accessible anymore.
Hunt added, "It's impossible to believe that CloudPets (or mReady) did not know that firstly, the databases had been left publicly exposed and secondly, that malicious parties had accessed them. Obviously, they've changed the security profile of the system and you simply could not have overlooked the fact that a ransom had been left. So both the exposed database and intrusion by those demanding the ransom must have been identified yet this story never made the headlines."
CloudPets data leak comes just days after Germany banned the popular My Friend Cayla dolls, over fears that the smart toy could be used by hackers to spy on children. In 2015, Hong Kong-based VTech was hit by hackers, which saw personal data of 6.3 million people stolen.
"Lax security practices that expose the personal data of children and parents to data-jacking are just unconscionable," Zohar Alon, CEO and co-founder ofDome9 Security told IBTimes UK. "Customers of public cloud services such as Amazon Web Services and Microsoft Azure have cutting-edge tools at their disposal to manage security in their environments, including identity and access management, network security and application firewalls. But the best tools can't save customers from irresponsible behavior. The agility and ease of use of the public cloud make it just as easy to build new apps that don't take security into account."
CloudPets is yet to confirm and/or disclose the breach. According to a report by Motherboard, the firm has not notified customers about the leak either. Victor Gevers, founder of the non-profit GDI Foundation, which notifies victims of security issues, said that he found the exposed CloudPets database online late December and attempted to alert the firm. However, he received no response from CloudPets or its parent company Spiral Toys.
"I have been trying to reach through email, Linkedin, Zendesk, Twitter," Gevers said. "I even tried to reach the people via the private email. Never got a response."
He added, "They were very irresponsible because they had to know about this. I have been ringing so many doorbells," Gevers told Motherboard. "People make mistakes. It's the action that follows up which defines your character. Handling serious data leaks like this proves a lack of the right personality and then you should not be in this industry or in any in which you are responsible for such data."
Spiral Toys, in response to Motherboard's report on the leak, told CNNTech that no messages or images were compromised.