Smart teddy bears from CloudPets were announced to be involved in a massive data breach, leaking thousands of recordings of children and their parents. Those who own this type of stuffed animals should consider changing their password. These toys can send and receive voice recordings from parents to children and the other way around.
The data breach was estimated at more than 800,000 users. The leak was announced on February 27 and it drew the attention of several security researchers who argued that due to this glitch, hackers may have been granted access to users’ recordings. Nevertheless, the company behind these products known as Spiral Toys has denied any accusation which stated that the toys were hacked.
Mark Myers, the CEO of the company, indicated that voice recordings were not stolen. Troy Hunt, a security researcher who is responsible for tracking data breaches, indicated this incident on Monday. He claims that hackers might have accessed a database of CloudPets which involved some hashed passwords and email addresses and they even attempted to ransom the data back in January.
This incident underlines the danger to which CloudPets owners are exposed to when using these connected toys. Information which passes through them is most likely to be exposed. Regarding the toys from CloudPets, this brand has reportedly made the error of storing the users’ data in an online database MongoDB which is a public one.
What is more, this database did not even require for authentication when being accessed. This means that anyone who would have wanted to access this database would have been free to do it. Nevertheless, the passwords which were exposed in the breach appear to have been hashed with the bcrypt algorithm. This could be difficult to hack.
Hunt argued that CloudPets did not require a password strength. This means that it allowed every single character that the user decided to include. Just to make a demonstration, Hunt was able to decipher a massive number of data by simply typing in standard terms like 123456, cloudpets or qwerty. Anyone who had the data would have been able to crack many passwords, log on to different accounts and download voice recordings.
Victor Gevers, who is a security researcher at the GDI Foundation, claimed that he also revealed the breach from CloudPets and attempted to contact the company last December.
Image courtesy of: public domain