By Lily Dane
“Smart” stuffed animals that listen to the voices of children and parents have leaked over 2 million recorded messages online – and hackers are now holding them for ransom.
Cybersecurity expert Troy Hunt reports that an unnamed source contacted him about a data breach affecting CloudPets stuffed toys. The Bluetooth-connected stuffed animals let parents upload and download messages to and from their children via an app.
Hunt goes on to explain that most parents may be technically literate enough to set up a WiFi password but not savvy enough to understand how these toys actually work:
They don’t necessarily realise that every one of those recordings – those intimate, heartfelt, extremely personal recordings – between a parent and their child is stored as an audio file on the web. They certainly wouldn’t realise that in CloudPets’ case, that data was stored in a MongoDB that was in a publicly facing network segment without any authentication required and had been indexed by Shodan (a popular search engine for finding connected things).