Feb 272017
 

Troy Hunt reports that a misconfigured MongoDB installation resulted in audio files of children’s and parents’ conversations recorded by CloudPets being exposed in a Shodan search. And as we’ve seen many other times, the exposed files were deleted by an attacker, and a purported “ransom” note left in place of the database – a ransom note that was then stomped on by another attacker’s note. Whether either of those attackers actually exfiltrated the data and saved a copy is unknown at this time. They may have just deleted the database and hoped that their victim would pay the “ransom” demand without demanding to see proof that the attacker actually had a copy of the database.

There’s a lot to feel frustrated about as you read Troy’s detailed chronology and explanations. First, there were numerous unsuccessful attempts to get CloudPets or its parent company, Spiral Toys, to secure their exposed database. Second, personal information, including date of birth, was exposed for over 820,000 parents and/or their children.

Third, Troy raises the issue of whether the audio files and personal information might be circulating on trading platforms or the dark web. There’s some evidence that he provides to suggest that at least some of it may be.

In light of the possibility, CloudPets needs to notify all customers. The company is already in a relatively impoverished state compared to past performance, and the costs of this breach could be a death knell for them. But I’ll save my sympathy for the parents and children at this point because the company had no way to contact them that worked and/or that they responded to.

Read Troy’s article here. CloudPets is just the most recent connected toy to raise privacy concerns, of course. If you’re a parent, please assume that anything the toy can record will be up on a server somewhere, just waiting, perhaps, to be hacked and misused, and whatever that toy records will be linked to your account or customer information or profile.

Scary, isn’t it?

Update: The company has responded. Read this report by Michael Kan and then this thread on Twitter which contains a fuller statement from the toymaker while I try to pick my jaw back up from the floor.

  3 Responses to “Data from connected CloudPets teddy bears leaked due to misconfigured database; 820,000 kids’ files exposed”

  1. —–BEGIN PGP MESSAGE—–

    hQIMAzrnxAo1eKabARAAqr7SgjC2xpGF0pvkz7kkxUOqmZRI/c6XaneE3+Lu8i+w
    sYYfy06tXdNZvIQnq9M8Uwc0dD863ozh3CwQ20+51mIfpLmVkMbS1bd5PJUQLeXj
    SgbgYiAhjZzsZhzyQzQzMW8nnpIg6bVWRcd7C2GXc4UIcmf7ftpLd6pyUEw8UH5v
    ngRB78iarXU/X+GuIHbrfPNawq9PlfRwwXicoj6Seol30eQ44+cvuZFCm8WcB9c2
    6oToVUwbTL0P9FvHzisN2sPDH5l/ZmU91lW1xV5pZl1yRSYBTqr76lW/Q0jahRkN
    4wUYlvFE+tkPHRMtwY5h9e5u4ROCG63mrgp4EricufQQ+6axjN0UM1OIscj2xuVN
    QUBQO4I9EcRiWwAVFs3pQfndrIVXBloduZWMu0tJXq6QWkdaD/KEDmUVTDxXbjmT
    SzntuqrD8zPl+YAS5VYcywsrON65vbNWO7d/9loYm72UWL27zDao5CMVTCNU77aP
    OX++wJnK+lv3nps8ErH0V0iB1fLN0yHyX1vrMgNRhatWh1/EAU4GKaQx8UmHU1kG
    mibHWLqKG1JVa+OjMXndt6eG7/j/+UOS8w4lTMgTsW1S6U2WENR4KGT42L+58+IV
    mxNAxkX4rjXEUVTKcNnoLMMVnbT3QlAzp7lvDRJwa6R0ZNp/XzoGYPyxQTC0TPTS
    VwGsv5ZKscmS8O11Mn8+tPaa2OLBafx/sZivAigr88vyqRhKgNcKy2LnPucEA2GA
    l1AUWEvYJ2rA+6x5xINPEBnYz+KRP2/ofCZncaQercJL1GOxcl8mDA==
    =F9RF
    —–END PGP MESSAGE—–

Sorry, the comment form is closed at this time.