Hackers hold MILLIONS of voice recordings to ransom after creepy CloudPets teddy bears leak private data of parents and children
teddy-bears:’Smart’ teddy bears that listened to the voices of children and parents have leaked 2 million recorded messages online – and hackers are now holding them for ransom.
The company that makes the ‘CloudPets’ toys also leaked the user details of 800,000 accounts, including email addresses and passwords.
teddy-bears:The leak left millions of families’ private conversations, including voice recordings of their child alone with the toy, exposed for several days before it was stolen by cyber criminals.
Despite knowing about the leak for two months ‘Spiral Toys’ has still not informed any of the families affected.
teddy-bears:Since Christmas last year until the first week of January, California-based Spiral Toys left customer data from of its CloudPets brand on an exposed database.
In a blog post on the leak, online security expert Troy Hunt said that the original database was deleted on January 7 by cyber criminals, who have since been holding the voice recordings for ransom.
teddy-bears:A ransom demand was left in the data’s place on the exposed system named ‘PLEASE_READ’ in January.
The ransom note read: ‘You DB is backed up on our servers, send 1 BTC to 1J5ADzFv1gx3fsUPUY1AWktuJ6DF9P6hiF then send your ip address to email:firstname.lastname@example.org’.
BitCoin is an online currency that can be sent securely to a temporary address.
1 Bitcoin (BTC) is worth around $1190 (£950).
The next day, two more ransom notes appeared titled ‘README_MISSING_DATABASES’ and ‘PWNED_SECURE_YOUR_STUFF_SILLY’ with similar demands.
The original Spiral Toys database was not Firewall or password protected.
teddy-bears:The exposed database was easy for cyber-criminals to find using a search engine called Shodan, which is designed to find unprotected websites and databases, security researchers told Motherboard.
teddy-bears:An app on a parent’s mobile phone allows for voice messages recorded through the bear to be received remotely by the parents. The parent responds by recording a message through their phone, which is then sent to the bear through a nearby device’s Bluetooth (pictured)
Despite the leak occurring two months ago, Spiral Toys is yet to notify the victims or disclose the breach.
teddy-bears:’It’s an alarming leak because not only does it expose very personal information from children, but the company has also elected not to notify impacted families,’ Mr Hunt told MailOnline.
‘The primary risk is the invasion of privacy it poses to families. Whilst there is still the potential for hackers to abuse the usernames and passwords stolen, it’s strangers listening to your children which worries parents the most.
teddy-bears:’There’s little functional value to voice recordings of children, but it’s content of a very personal nature which families would obviously like to keep private.’
CloudPets are a soft toy that allows parents and children to record voice messages to one another through a microphone installed in the bear.
An app on a parent’s mobile phone allows for messages recorded through the bear to be received remotely by the parent.
The parent can then respond by recording a message through their phone which is sent to the bear.
teddy-bears:Messages sent through the bear or app went through the internet and were stored online as audio files by Spiral Toys.
They could now be in the hands of cyber criminals.
teddy-bears:The voice messages were not stored in the exposed user database itself, but were easily accessible via a separate data ‘bucket’ that didn’t require any authentication to access.
teddy-bears:Additionally the app allowed users to create weak passwords such as ‘12345’ or ‘cloudpets’ making it easy for cyber criminals to log into user accounts and listen to their messages.
teddy-bears:Mr Hunt claims that Spiral Toys should have done more to protect the data that was leaked.
‘Spiral toys obviously should have had their database properly protected with a password.
teddy-bears:’They also should have had the database accessible to the World Wide Web and they should have enforced basic password requirements; allowing people to create a single digit password was never a good idea.’
teddy-bears:The toy will play messages aloud recorded by parents through their mobile phone (pictured). Messages sent through the bear or app went through the internet and were stored online as audio files by toy company Spiral Toys. They could now be in the hands of hackers
teddy-bears:And the security expert issues a caution to those who use internet-connected voice devices with their children.
”People need to carefully think about how much personal information they expose about their families.
teddy-bears:’For me and many others, putting kids voice recordings online in this fashion is an unacceptable risk.
teddy-bears:’Internet connected services can do wonderful things, but they also present new risks. Consumers need to balance these up and consider whether the upsides of the technologies are worth the risk.’
Ben Herzberg, Security Research Group Manager at Imperva Incapsula, said: ‘Internet of things’ (IoT) devices have the potential to revolutionise the way we’re living.
teddy-bears:’However, we’ve seen a lot of security glitches from these IoT companies, and they need to understand that Information Security is not a “good-to-have”.
teddy-bears:’Every company that’s selling devices that connect to the internet must know that in that moment they become a target, and will probably not have a lot of grace time before they start getting attacked.’
Spiral Toys is yet to respond to MailOnline’s request for comment.