Internet-Connected Teddy Bear Leaks 2 Million Voice Recordings of Parents and Children

smart internet teddy bear hacked
"A message you can hug"—and hack. CloudPets teddy bears exposed voice recordings of more than two million parents and children. CloudPets

More than two million voice recordings made by parents and children have been exposed by internet-connected teddy bears.

The data breach, which also compromised email addresses and passwords of users, was revealed by security researcher Troy Hunt. More than 800,000 customer credentials of CloudPets stuffed animals, made by Spiral Toys, were left exposed between Christmas day 2016 and the first week of January.

Compromised messages include one from a child that states: “Hello mommy and daddy, I love you so much.”

The database was accessible through Shodan, a search engine that provides access to unprotected devices connected to what the website terms the Internet of Things.

“[Parents] don’t necessarily realise that every one of those recordings—those intimate, heartfelt, extremely personal recordings—between a parent and their child is stored as an audio file on the web,” Hunt wrote in a blog disclosing the security vulnerability.

“By now it’s pretty obvious that multiple parties identified the exposed database, it remained open for a long period of time and it exposed some very personal data. It would be a safe bet to assume that many other parties located and then exfiltrated the same data… and that data—including the kids’ and parents’ intimate audio clips—is now in the hands of an untold number of people.”

A spokesperson for Spiral Toys was not immediately available for comment. Mark Myers, the CEO of the company, denied the data breach in a statement to Network World. He said: “The headlines that say 2 million messages were leaked on the internet are completely false… We looked at it and thought it was a very minimal issue.”

In response, Hunt updated his original blog post to describe Myers’ comments as “unfathomable.”