CloudPet Teddy data leaked and ransomed; 2.2-million private recordings leaked
Data thefts, data leaks, and ransomware are nothing new but it’s interesting and scary at times to realize the several ways in which this can happen. Well now hackers are targeting cloud-connected toys and this has put the privacy of the children at peril. Also, the degree of online presence you want your kids to have can vary and most of the parents usually prefer the gradual way. Germany had recently banned an internet-connected doll called “Cayla” after they found it to be a potential target for the hackers.
The hackers if successful will have a treasure cove of data including the kid’s names, birthdays, photos and links to the parent’s profile along with the physical address, scary right?
CloudPet Teddy data hacked & ransomed
CloudPets is a toy brand that lets parents record a voice and send it over to a cute teddy via the cloud and a companion app on the phone/tablet. Needless to say, most of the parents will have a personal conversation with the kids and all of this is stored in a MangoDB that was hosted on a publicly facing network without the need for authentication, Whats worse is that the recordings had been indexed by a popular search engine by the name Shodan.
The data that was indexed was massive and although one doesn’t have an exact number apparently, 583k records were in the public. The screenshot below shows the records that a particular person with a Cloudpets account looked like. The toy was gifted to his daughter on Christmas day and the password that was stored in the crypt hash was same as the one set by the users.
The most alarming thing in this entire incident is that the toy company, Cloudpets had kept the data in the open even without an elementary password protecting the same.
Despite being warned about the loophole the toy company decided to turn a deaf ear. After a thorough investigation, the total number of users stood at a staggering 583K and this simply escalated the Data Breach risk. Apparently, the toy makers had their test data and production data mixed up and this lead to over 2.2-million voice recordings of parents leaked.