This 'Smart' Toy Hack Just Put Thousands of Kids' Privacy at Risk

Spiral Toys
When it comes to toys, stuffed animals are generally considered to be one of the most benign playthings: They're not choking hazards, they can't shatter into a million pieces, and there are no hard edges. But apparently they can leak your personal information to the world -- or at least that's what security experts claim one popular brand of Internet-connected plushies did. 


CloudPets are supposed to be able to store and replay voice messages sent to them online -- from, say, a parent who's traveling for work or a grandparent who lives across the country. It's a cute idea, but not a particularly secure one, as it turns out, because the recordings, passwords, and log-ins of over 800,000 customers have allegedly been exposed to the general public since this past Christmas Day.

Yes, you read that correctly.

More from CafeMom: Popular Game Gives Sexual Predators Scary Access to Your Kids

This incredibly sensitive info was being stored in an easily accessible database online. Digital security expert Troy Hunt, who was one of the first people to notice the problem, claims he was able to access things like children's names, birthdays, and their relationships with authorized users -- a process he explains at length on his website. Basically, what it boils down to is this: Hundreds of thousands of kids (and adults) had their personal details (even recordings of their voices saying things like "I love you, Mommy") made completely vulnerable to the world wide web. This issue seems to have been confirmed by multiple security experts, but CloudPets has yet to take responsibility.

"Were voice recordings stolen? Absolutely not," Mark Meyers, CloudPets' chief executive, said in a statement to NetworkWorld. "The headlines that say 2 million messages were leaked on the Internet are completely false."

More from CafeMom: 13 Apps That Make It Impossible for Your Kids to Be Sneaky Online

Meyers also said that Spiral Toys, the company that makes CloudPets, only became aware of the exposed database problem after a Vice Media reporter contacted them last week. Meanwhile, experts -- including Victor Gevers from the GDI Foundation -- claim they've been trying to warn the company about the problem for months, according to Network World, but Spiral Toys never responded. Either way, Meyers seems oddly unconcerned.

"We looked at it and thought it was a very minimal issue," he said. 

It's doubtful any parents who spent money on a CloudPet would agree with him on that one, especially because this breach means hackers could potentially use log-in info to send messages to the toys themselves -- meaning some total creep could talk to your kid ... through a stuffed animal. It's like something out of a horror movie!

More from CafeMom: Why I'm Talking to My Kid About Online Safety Earlier Than I Expected

Thankfully, the database is no longer available to the public -- but that doesn't mean anyone who stole personal data already doesn't still have that data. According to Hunt, there's evidence that the database wasn't merely hacked, but held for ransom (as in, "cybercriminals" demanded money from Spiral Toys in exchange for the data's return). He says the only way to really fix the problem is to take the service and all the files offline.

So, are you ready to disable that talking teddy bear yet?

As a mother of three, I've personally always been a little bit weirded out by talking stuffed animals, but this is a whole new level of yikes -- not to mention a frightening reminder of why we should always be conscious of protecting our kids' privacy online.

Read More >