Account information on 800,000 CloudPets users was left unprotected on the internet, as well as 2.2 million voice recordings sent between children and their loved ones, according to reports.
Spiral Toys/Screenshot by CNETBad news for parents and kids who sent each other voice messages through internet connected stuffed animals called CloudPets -- their account information and voice recordings were left exposed on the internet, ready for anyone with a few web search skills to find.
That's according to reports from cybersecurity expert Troy Hunt, as well as Vice cybersecurity publication Motherboard.
The account information of more than 800,000 users, which included email addresses and easily guessed passwords, was stored on an online database that could be viewed by anyone -- no password required, both reports said. Nearly 2.2 million voice recordings were also stored online unsecured; hackers could listen to them by guessing the URL of the recording, Hunt found.
The reports come two weeks after German regulators warned parents that connected doll My Friend Cayla could compromise children's privacy. There haven't been reports of data leaking from the Cayla doll, but fears of exposing children's personal information have been percolating for a few years now.
Those fears heightened with the release of the interactive talking Hello Barbie doll in 2015 and subsequent claims from researchers that the doll had cybersecurity flaws. Other connected children's toys have also proved vulnerable to hackers, including VTech's Learning Lodge app and the Fisher-Price Smart Toy, also a smart stuffed animal.
Spiral Toys didn't immediately respond to a request for comment, and both Hunt and Motherboard said they were unable to get in touch with the company. What's more, cybersecurity experts who spoke with both Hunt and Motherboard said they tried in vain to reach the company to warn them of the exposed data. Spiral Toys is a publicly traded company that currently has a stock value of 1 cent, leading Hunt to speculate it has shuttered operations.
Hunt found that the data was no longer publicly searchable after January 13. He also said there was compelling evidence the database had been copied by hackers, who then offered to give it back to Spiral Toys for a ransom paid in bitcoin. Hunt detailed two ransom demands.
Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility. Check it out here.
Technically Literate: Original works of short fiction with unique perspectives on tech, exclusively on CNET. You can read them here.