Your Kid’s CloudPets Data Has Been Leaked And Ransomed

Millions of emails, passwords and voice recordings were leaked

Feb 28, 2017 at 11:54 AM ET

Your kid’s cute, cuddly CloudPets plush doll has been compromised, and hackers may have downloaded all the voice messages you exchanged with your children.

A recent data leak exposed the login credentials of more than 800,000 people who own Spiral Toys’ CloudPets, a line of plush toys that interact with children by telling them lullabies, teaching them lessons, and functioning as a walkie-talkie. The leak also exposed 2 million recordings of heartfelt voice messages between kids and their parents, according to MotherBoard.

The leaked data was reportedly left unprotected by Spiral Toys on a third-party database, MongoDB, that had been completely exposed — meaning visitors didn’t need to supply any credentials to access its contents — since Christmas Day, 2016. Hackers then apparently stole the data and held it for bitcoin ransom, according to analysis by security researcher Troy Hunt.

Spiral Toys told Vocativ it was informed in January that CloudPets could have been part of a massive attack that compromised over 28,000 MongoDB instances globally. However, contrary to reports, the toy manufacturer claims “no message data was leaked on the internet.”

“We want to be clear that no messages or images were compromised since they are on another server entirely and without both the login information and password they are nearly impossible to reach,” Spiral Toys said. 

This isn’t the first time an internet-connected toy has come with massive security flaws. Last year, smart dolls like Hello Barbie and My Friend Cayla were reported to be at risk of getting hacked and exploited by manufacturers for marketing purposes.

“It is mind-boggling that Spiral Toys didn’t take even minimal steps to protect children’s incredibly sensitive data and intimate conversations with their parents,” Josh Golin, executive director of the Campaign for a Commercial-Free Childhood, told Vocativ. Referring to Hunt’s documented campaign of trying fruitlessly to alert the company of his findings, Golin said, “they didn’t respond to multiple attempts to inform them that they were leaving children vulnerable.”

As advocates for children’s privacy and safety, Golin and the CFCC generally advise parents to not buy toys that connect to the internet — so-called Internet of Things devices — because they can get hacked and put children at risk.

“Parents need to understand that Internet-connected toys aren’t safe and that traditional toys are actually better at fostering creativity,” Golin said. “Children can derive loads of comfort and engage in endless hours of pretend play with a regular, old-fashioned stuffed animal — with no risk that their private conversations will end up in the wrong hands.”

Hunt said the passwords on CloudPets were often extremely basic, like “123456,” as the app created no requirements for a strong one. Since the breach, Spiral Toys said, it has increased security and will be updating its app to ask customers to change their passwords and make them stronger.

If you own a CloudPets and you want to check if your account was compromised, you can use Hunt’s website, Have I Been Pwned, to safely check.