Data from internet-connected smart teddy bears has been leaked and ransomed, exposing children’s voice messages and more than half a million customer accounts, according a security expert.
In a blog post, cybersecurity expert Troy Hunt says that an unnamed source contacted him about a data breach affecting the CloudPets range of stuffed animals. The Bluetooth-connected toys let parents upload and download messages to and from their children via an app.
The CloudPets database had allegedly been left exposed online.
“Someone sent me data from the table holding the user accounts, about 583k records in total,” wrote Hunt, in his blog post. “There are references to almost 2.2 million voice recordings of parents and their children.”
Hunt added that the information was sent to him by“someone who travels in data breach trading circles,” and said that others had also accessed the information. “The CloudPets data was accessed many times by unauthorised parties before being deleted and then on multiple occasions, held for ransom,” he wrote.
According to data received by Hunt, the 583,000 records were part of the larger database, which contained more than 820,000 users.
Technology news website Motherboard also reports that it was contacted about the breach independently by two security researchers in the last few weeks. With the help of the researchers, Motherboard was able to verify the legitimacy of the breach, it said.
Spiral Toys, the company behind CloudPets, has denied that customers were hacked. “Were voice recordings stolen? Absolutely not,” Spiral Toys CEO Mark Meyers told Network World.
“The headlines that say 2 million messages were leaked on the internet are completely false,” he said. Meyers told Network World that a hacker would only be able to access a customer’s voice recording if they managed to guess the password.
The CEO added that Spiral Toys found no evidence that any hackers broke into customer accounts, and is planning a password reset for all users.
Spiral Toys has not yet responded to requests for comment on this story from Fox News.
Other internet-connected toys have also been grabbing headlines. The My Friend Cayla doll, for example, was recently banned by The Federal Network Agency in Germany amid hacking fears, although the doll’s German distributor insists it is safe to use. Hello Barbie has also been in the security spotlight in recent years, while electronic toy maker Vtech has been targeted by hackers.
Steven Malone, director of security product management at security company Mimecast told Fox News that users need to think carefully about the security implications of the Internet of Things, where a wide range of devices are connected to the web. “Just because you can connect a device to the Internet, it doesn’t mean you should!” he wrote.