Smart Stuffed Toys Leak Data On 800,000 Users

The CloudPets user database was stored unprotected online, and weak passwords meant hackers could access stored children’s messages

Personal data on more than 800,000 users of a line of connected stuffed toys called CloudPets has been accessed by hackers, giving them access to voice recordings passed between family members, according to researchers.

The incident is the latest in which Internet-connected toys have exposed data involving children, the most high-profile being the hack of millions of child and adult users’ data held by Hong Kong-based VTech in November 2015.

Earlier this month Germany banned a connected toy called My Friend Cayla due to concerns it could be used as a covert surveillance device.

Credit: CloudPets
Credit: CloudPets

Unprotected database

CloudPets a line of stuffed animals made by Spiral Toys, allow adults and children to send recorded messages to one another via the Internet.

But computer security researchers said they found the database containing users’ email addresses and encrypted passwords on a publicly available web server that wasn’t protected by a firewall, or even a password.

While the passwords were encrypted using a strong hashing function called bcrypt, Spiral Toys’ lack of any password strength requirements meant many of the credentials were easy to guess, including ‘qwerty’, ‘123456’, ‘password’ and ‘cloudpets’, according to Troy Hunt, an Australian computer security expert who works for Microsoft.

“I cracked a large number in a very short time,” he wrote in a blog post. “The figures showed there would be thousands of passwords adhering to this very small handful of bad examples.”

Once the passwords were cracked, an attacker could enter the user’s CloudPets account and gain access to their voice recordings, Hunt said.

The database also included references to more than 2 million voice recordings, as well as users’ profile pictures, stored on Amazon S3 servers, according to Hunt.

While accessing those pictures and recordings would require an attacker to guess their URLs, Hunt said he believed that was possible.

He accessed snippets of recordings on the Amazon S3 servers with the cooperation of users involved in the breach, but said he didn’t attempt to access any files without authorisation.


‘Minimal’ risk

Spiral Toys downplayed the incident, saying the issue appeared “minimal” and that it had found no evidence user accounts or voice recordings had been accessed.

Voice recordings could only be accessed if an attacker guessed the user’s password, Mark Myers, chief executive of California-based Spiral Toys, said in a report by IT news website Network World published on Monday night.

Spiral Toys had previously failed to respond to multiple online and telephone communications from security researchers and journalists beginning in late December, when the exposed database first came to light, according to Hunt and others.

But Myers said the company never received those messages and claimed he only became aware of the matter when contacted by tech news website Motherboard last week. 

“We looked at it and thought it was a very minimal issue,” Myers said.

He acknowledged that the company had asked the third party that handles its back-end customer systems to increase security in January, following automated attacks on unprotected databases – including the CloudPets database – that took place on a large scale earlier that month.

Hunt confirmed that he and other researchers found the database in question was no longer publicly accessible as of 13 January – but by that time, it already appeared to have been accessed by an unknown number of outside parties.

On two occasions in early January, the database was deleted and a ransom note was left on the server saying the attackers had made a copy of the data – the type of automated attack carried out on many other databases during that period.

“Unauthorised access must have been detected but impacted parents were never notified,” Hunt wrote.

Weak passwords

He noted that California, where Spiral Toys is based, requires companies to notify users in the case of a data breach, which includes the disclosure of email addresses and passwords that permit access to an online account. The law was extended to cover encrypted data as of the first of January.

Spiral Toys and the company handling its back-end user systems seem not to have considered the apparent database accesses as a data breach because the passwords were encrypted.

Myers did, however, acknowledge the company was considering changing its password policy.

“Maybe our solution is to put more complex passwords… we have to find a balance,” he said regarding the lack of password strength requirements. “How much is too much?”

Hunt said he was “a bit stunned” by Myers’ response.

“Allowing a password of ‘a’ is too little,” he wrote.

Spiral Toys did not respond to a request for comment.

Do you know all about security in 2017? Try our quiz!