SAN FRANCISCO – CloudPets maker Spiral Toys left 2.2 million children’s voice recordings and account info exposed, reports say, and it appears hackers stole and ransomed user data.
This is bad news for parents and kids who sent each other voice messages through internet-connected stuffed animals called CloudPets: Their account information and voice recordings were left exposed on the internet, ready for anyone with a few web search skills to find. That’s according to reports published Monday from cybersecurity expert Troy Hunt, as well as Vice cybersecurity publication Motherboard.
The account information of more than 800,000 users, which included email addresses and easily guessed passwords, was stored on an online database that could be viewed by anyone — no password required, both reports said.
Nearly 2.2 million voice recordings were also stored online unsecured. Hackers could listen to them by guessing the URL of the recording, Hunt found. Finally, both Hunt and Motherboard reported that hackers appear to have wiped the user database clean and held its contents for ransom at least twice.
Spiral Toys, the maker of CloudPets, said in an email Monday that the voice recordings were not compromised. The company didn’t comment on whether its database was accessed and ransomed by hackers, or whether hackers could have accessed the voice recordings either by guessing easy passwords or the URLs of voice recordings. Spiral Toys didn’t respond to followup questions from CNET on these topics.
To read the rest of this story on CNET, click on https://www.cnet.com/news/cloudpets-iot-smart-toy-flaws-hacking-kids-info-children-cybersecurity/
