A California-based company that sells internet-connected teddy bears reportedly had a leak of more than 800,000 user credentials to the internet and unsecured access to more than two million voice messages, according to security researcher Troy Hunt.
According to Hunt, the account data was consciously left in an unsecured database, lacking both password and firewall protection since December 25, and was randomly accessed by multiple parties – some of them criminals who eventually stole the data and held it for ransom on the January 8th security breach.
The hackers apparently hashed the passwords for everyone involved, including the company, and are now the only ones who can access the data.
Journalists and researchers have reportedly camped out on Spiral Toys’ doorstep since the last week of 2016 to confirm and patch the security breach on CloudPets.
Spiral Toys’ feedback has not been received thus far, and no action is known to be taken by the company to fix the vulnerability.
The data is now on the internet, and with hackers who have threatened to leak the parent-kid voice recordings to everyone if their ransom demand is not met.
The news comes only weeks after the German government pulled units of toys connected to the Internet of Things off the shelves after it was established that the toys could be used by hackers to spy on the kids.
The company may want to cite lack of knowledge that its databases were publicly available, but the open efforts by researchers and journalists to reach company representatives multiple times prior to the attack would nullify the claim.
Furthermore, there was a ransom demand left behind which, Hunt believes, makes it obvious that Spiral Toys and mReady – the Romanian company that was charged with storing the MongoDB database – were conscious of vulnerabilities that resulted in the security breach.
Hunt notes in his report that the voice messages were not available in the database, but could be easily found and listened to in the Amazon S3 bucket they were stored in if hackers could determine the appropriate URLs.
Nevertheless, Hunt reckons that the weak passwords that most customers used would not viably prevent hackers from logging into the accounts and listening to the recordings.
The company’s website allowed for as short as one-character passwords, arguably due to the product having children as its target market.
In mid-January, several MongoDB databases were attacked by hackers, and CloudPets’ database looked destined for a security breach.
Most of the owners of the hacked databases came out to confirm the data breaches to the victims shortly after the reports emerged, and some even paid the ransom or otherwise responded to the demands.
Hunt believes the company merits the rage the reports elicited for not only exposing sensitive child data to hackers on the internet, but also failing to notify customers about the security breach.
This is not the first time that a security breach of this magnitude has hit a company producing internet-connected dolls.
In 2015, VTech – a Hong Kong-based toymaker – had the personal data of more than 6 million children and little under 5 million adults (mostly parents and guardians) stolen and leaked by anonymous hackers.
Victims of the security breach included family pictures, selfies, chat conversations, and voice messages between parents and their children.
SpiralToys’ case is eerily similar, and experts struggle to establish a legitimate justification for the Agoura Hills-based firm’s apparent negligence.
Reports, however, have surfaced that the company’s silence has been due to a looming bankruptcy rather than ignorance as its stock value is approaching the zero mark.
According to Victor Gevers, one of the first security experts to come across the vulnerable MongoDB database and chairman of the GDI Foundation – a non-profit organization that identifies and discloses security breaches to victims – told parents to beware of Internet of Things toymakers promising online security, as it is quite costly to provide that level of data security.
John Madelin, CEO at RelianceACSN, echoed Gevers’ warnings informing parents that they should be prepared to face security concerns if they choose to buy their kids connected toys.