Millions of Kid’s Voice Messages Potentially Obtained in Toy Breach

Media Division | March 2, 2017

Internet of Things (IoT) devices continues to become increasingly popular.  Every day, more of our daily used objects are being connected and integrated into cyber space.  Even select kid’s toys now have the ability to connect to the internet for different functions.  Though, with the increased incidences of cyber attacks, IoT kid’s toys lacking proper cyber security can be a major concern for exploits.

One of the more popular IoT kid’s toys is called CloudPets.  These teddy toys allow parents and kids to exchange voice messages across the internet.  They function by allowing the parent or child to speak into the toy to record a message, which is then uploaded via bluetooth to cloud storage linked to a mobile app.  The voice message can then be downloaded and listened to through a separate Cloud Pets toy.  This allows the parent and child to stay connected in a fun and unique way that both could enjoy.  But unfortunately, as mentioned above, cyber security can be an issue for anything connected to the internet.  And in a recent incident, hackers were able to gain access to the database which contained all of the user accounts, as well as potentially 2.2m voice messages.

The Method of Compromise

One of the most unfortunate aspects of this breach is that it was in no way a complicated or sophisticated compromise.  In fact, CloudPets had left their data stored on a MongoDB that required no authentication to access, which was also indexed by Shodan (A search engine for IoT devices).  The company had left their data in an unprotected state around Christmas, which allowed hackers to access it by nothing more than a simple Shodan search.  And in an even worse occurrence, numerous hackers had accessed the data, some even deleting the database and then requesting a ransom for it.  And around mid-January, a Shodan search displayed that there were no more publicly accessible CloudPets databases.

How CloudPets Blatantly Dropped the Ball

This is a large example of a breach being handled completely incorrectly.  For one, the company must have had knowledge of the compromised database, and yet none of the affected parents were ever informed of the breach.  The company had also allowed the database to repeatedly be accessed and compromised for weeks without taking any action to secure it.  And finally, one of the researchers that had initially discovered the vulnerability in December had attempted to contact CloudPets three different times with no response, with even the company’s support email address apparently being out of service.  Another researcher had also attempted to contact CloudPets about the incident with no avail.  This simply displays a lackadaisical and neglectful position of the company in relation to cyber security.  Although, the lack of returned emails and reaction to the compromise can potentially be somewhat explained by one factor.  With reference to the current stock prices and lack of communication, it appears that CloudPets and the parent company, Spiral Toys, may be on their way out.

Properly Handling Incidents with Data Breach Solutions

While formidable cyber security that prevents breaches is the most ideal scene, a company must also have contingency plans in the event of a breach.  An organization can often times come back from a compromise, but only if it is properly handled through data breach solutions.  A breach can cause financial and data loss, as well as reputational and trust damage, which can tank an organization if they do not begin immediate reparations.  Massive Alliance provides thorough data breach solutions that can help your organization to rebuild after a compromise.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.