CloudPets, which makes “smart” stuffed animals that enable children and parents to exchange personal messages from anywhere in the world, recently left more than 800,000 customer credentials and two million recorded messages exposed online, Motherboard reports.
From the end of December 2016 until at least the first week of January 2017, CloudPets parent company Spiral Toys placed customer data in a MongoDB database that wasn’t password-protected or behind a firewall, where it was easily uncovered using the Shodan search engine.
The database held more than 800,000 customer email addresses and bcrypt hashed passwords, though many of the passwords were so weak that they were easily cracked.
Security researcher Victor Gevers told Motherboard that the database held data on 821,396 registered users, which could be used to access 2,182,337 voice messages.
“[The] toy and gadget industry has a lot of catching up to do,” Gever tweeted recently.
More recently, someone sent Troy Hunt a subset of the data containing approximately 583,000 records — the person who provided Hunt with the data had tried three times to notify CloudPets of the exposure, but received no response.
“Time and time again, there are extensive delays or no response at all from the very people that should be the most interested in incidents like this,” Hunt wrote. “If you run any sort of online service whatsoever, think about what’s involved in ensuring someone can report this sort of thing to you because this whole story could have had a very different outcome otherwise.”
More than once in early January, according to Hunt, the data was deleted from the database and a ransom was demanded to return it.
And while the incident took place over two months ago, Spiral Toys and CloudPets have not yet notified customers of the breach.
Earlier this week, Spiral Toys CEO Mark Myers told Network World that the impact of the breach is being exaggerated. “We looked at it and thought it was a very minimal issue,” he said.
In response, Hunt wrote, “To suggest that the exposure and ransom of a database containing 821k user records and providing access to millions of voice recordings from and to children represents ‘a very minimal issue’ is just unfathomable.”
“The CloudPets situation is a prime example of connected device manufacturers being grossly negligent towards the security of their products,” Webroot director of threat research David Kennerly told eSecurity Planet by email. “In addition, users must be educated on the potential for these devices to generate and store sensitive data, as well as how to use good security practices to ensure their information is safe.”
AlienVault security advocate Javvad Malik said by email that every company should ask whether they really need all the customer information they’re collecting, and whether they’re protecting it adequately. “For the large majority of companies producing children’s toys, the answer is unfortunately more likely to be a no on both accounts,” he said.
“Not only can you pinpoint individual children, such as John, age 8 who lives with his parents at this address, but it becomes relatively trivial to then steal a child’s identity – something that maybe won’t be discovered until the child is 18 and applies for their first bank loan or applies for a job – only to find they have been blacklisted on different systems,” Malik added.
According to a recent AT&T report, the first half of 2016 saw a 400 percent increase in attackers searching for vulnerabilities in IoT devices.
And while IoT devices have recently been leveraged in major DDoS attacks, the report suggest that’s just the beginning of the threat they present. “It’s easy to imagine nation states marketing seemingly legitimate IoT devices that contain backdoors for breaching networks or monitoring their activity,” the report states.
Regardless of intent, the report notes, many IoT device manufacturers fail to incorporate even basic security measures in their products. “Even more vulnerabilities are added when one company designs an IoT device, another provides component software, another operates the network, and another actually deploys the device. It’s often unclear who is ultimately responsible for security.”