Spiral Toys, the maker of a line of internet-connected teddy bears that allows children and parents to share messages with one another, allowed nearly one million user credentials and more than two million private messages to be exposed online, according to a report from Motherboard.
The information comes from the users of CloudPets, a popular brand of internet-connected toys for kids. The toys are advertised with features that allow parents to communicate with their kids through the toy via a smartphone app. Children can respond to the message by recording their own through the toy.
Millions of those messages—about 2.2 million according to security researcher Troy Hunt —existed online in a database that was not behind a firewall nor password-protected and could but found through Shodan, a search engine allows users to search unprotected websites and servers.
The database was first exposed online on Dec. 25, 2016 and sat unprotected until at least the first week of January.
Also included in that leak was about 800,000 login credentials, including usernames and passwords. While the passwords were encrypted using the secure hashing function bcrypt, CloudPets had no standard for password strength; users could have the password “a” and it would be accepted—making the encryption relatively easy to crack for the simple passwords.
According to a report from Motherboard, at least two security researchers found the CloudPets data online. It seems likely that hackers or other malicious actors may have also gotten their hands on the database as well.
Spiral Toys, the maker of CloudPets, appears to be in dire financial straits at the moment, which may explain the negligent care for customer data. Spiral Toy’s market cap is down more than 99 percent of its peak value and the company has all but abandoned the social media presence of CloudPets, last tweeting from its Twitter account on June 30, 2016.
This is not the first time an internet-connected toy has led to private data and communications being leaked. Kids toymaker VTech admitted in 2015 that five million of its user accounts were hacked, leading to messages, emails, and pictures of kids linked to their profile being made available online.
Last year, consumer watchdogs in the United States and Europe filed a lawsuit against smart toy makers for allegedly using voice communications recorded by their products without permission. A privacy watchdog in Germany advised parents to destroy “My Friend Cayla” toys for using an insecure and hackable bluetooth connection to transmit user information.