Data from connected CloudPets teddy bears leaked due to misconfigured database; 820,000 kids’ files exposed
Troy Hunt reports that a misconfigured MongoDB installation resulted in audio files of children’s and parents’ conversations recorded by CloudPets being exposed in a Shodan search. And as we’ve seen many other times, the exposed files were deleted by an attacker, and a purported “ransom” note left in place of the database – a ransom note that was then stomped on by another attacker’s note. Whether either of those attackers actually exfiltrated the data and saved a copy is unknown at this time. They may have just deleted the database and hoped that their victim would pay the “ransom” demand without demanding to see proof that the attacker actually had a copy of the database.
There’s a lot to feel frustrated about as you read Troy’s detailed chronology and explanations. First, there were numerous unsuccessful attempts to get CloudPets or its parent company, Spiral Toys, to secure their exposed database. Second, personal information, including date of birth, was exposed for over 820,000 parents and/or their children.
Third, Troy raises the issue of whether the audio files and personal information might be circulating on trading platforms or the dark web. There’s some evidence that he provides to suggest that at least some of it may be.
In light of the possibility, CloudPets needs to notify all customers. The company is already in a relatively impoverished state compared to past performance, and the costs of this breach could be a death knell for them. But I’ll save my sympathy for the parents and children at this point because the company had no way to contact them that worked and/or that they responded to.
Read Troy’s article here. CloudPets is just the most recent connected toy to raise privacy concerns, of course. If you’re a parent, please assume that anything the toy can record will be up on a server somewhere, just waiting, perhaps, to be hacked and misused, and whatever that toy records will be linked to your account or customer information or profile.
Scary, isn’t it?
Update: The company has responded. Read this report by Michael Kan and then this thread on Twitter which contains a fuller statement from the toymaker while I try to pick my jaw back up from the floor.