CloudPets Breached and Kids’ Voice Messages Exposed

Security experts are warning of yet another major data breach involving a connected toy company, exposing over 800,000 user accounts and potentially the voice recordings made between parents and their children.

The firm behind the CloudPets platform was contacted multiple times from December onwards about a possible breach, after it was discovered that more than 820,000 user accounts were left exposed and publicly accessible in a MongoDB database with no password protection.

Then at the beginning of January the original database was deleted and a ransom demand left on the exposed system, according to researcher Troy Hunt.

Although passwords were protected with the bcrypt hashing algorithm, there was apparently no minimum requirement regarding password strength, meaning users were able to save a single-letter log-in credential if they wished.

“What this meant is that when I passed the bcrypt hashes into hashcat and checked them against some of the world's most common passwords (‘qwerty’, ‘password’, ‘123456’, etc.) along with the passwords ‘qwe’ and ‘cloudpets’, I cracked a large number in a very short time,” explained Hunt.

“Due to there being absolutely no password strength requirements whatsoever, anyone with the data could crack a large number of passwords, log on to accounts and pull down the voice recordings.”

Around 2.2 million voice recordings between parents and their children are thought to have been exposed following the breach.

However, remarkably, the California-based owner of CloudPets has hit back at reports, claiming that the breach was a “very minimal issue.”

"We have to find a balance," Spiral Toys CEO mark Myers told IDG of his decision to opt for minimal password security requirements. "How much is too much?"

The incident is certainly not the first involving a toy manufacturer.

In November 2015, Hong Kong-based VTech revealed an unauthorized party had accessed customer data, including that of children, after what turned out to be an SQL injection attack.

Also, earlier this month, the German telecoms regulator urged parents to bin the talking Cayla doll after it was revealed that hackers could use an insecure Bluetooth device in the toy to listen and talk to the child playing with it.

What’s Hot on Infosecurity Magazine?