Smart toy flaws make hacking kids' info child's play

CloudPets maker Spiral Toys left children's voice recordings and account info exposed, reports say. It appears hackers stole and ransomed user data.

Laura Hautala
Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials 2022 Eddie Award for a single article in consumer technology
3 min read
Account information on 800,000 ​CloudPets users was left unprotected on the internet, as well as 2.2 million voice recordings sent between children and their loved ones, according to reports Monday.
Enlarge Image
Account information on 800,000 ​CloudPets users was left unprotected on the internet, as well as 2.2 million voice recordings sent between children and their loved ones, according to reports Monday.

Account information on 800,000 CloudPets users was left unprotected on the internet, as well as 2.2 million voice recordings sent between children and their loved ones, according to reports.

Spiral Toys/Screenshot by CNET

Bad news for parents and kids who sent each other voice messages through internet-connected stuffed animals called CloudPets: Their account information and voice recordings were left exposed on the internet, ready for anyone with a few web search skills to find.

That's according to reports published Monday from cybersecurity expert Troy Hunt, as well as Vice cybersecurity publication Motherboard.

The account information of more than 800,000 users, which included email addresses and easily guessed passwords, was stored on an online database that could be viewed by anyone -- no password required, both reports said.

Nearly 2.2 million voice recordings were also stored online unsecured. Hackers could listen to them by guessing the URL of the recording, Hunt found. Finally, both Hunt and Motherboard reported that hackers appear to have wiped the user database clean and held its contents for ransom at least twice.

Spiral Toys, the maker of CloudPets, said in an email Monday that the voice recordings were not compromised. The company didn't comment on whether its database was accessed and ransomed by hackers, or whether hackers could have accessed the voice recordings either by guessing easy passwords or the URLs of voice recordings. Spiral Toys didn't respond to followup questions from CNET on these topics.

Watch this: These robots are coming for your children

On Tuesday the company put out an official statement confirming the database of account information was exposed on the internet.

"Spiral Toys was notified about a potential breach on February 22 and took immediate and swift action to protect the privacy of our customers," the company said in its statement. "[W]e carried out an internal investigation and immediately invalidated all current customer passwords to ensure that no information could be accessed."

The company said it believed the voice recordings and photos of users weren't accessed. The company will notify users and require them to pick passwords with "increased security," the statement said.

The reports come two weeks after German regulators warned parents that connected doll My Friend Cayla could compromise children's privacy. There haven't been reports of data leaking from the Cayla doll, but fears of exposing children's personal information have been percolating for a few years now.

Those fears heightened with the release of the interactive talking Hello Barbie doll in 2015 and subsequent claims from researchers that the doll had cybersecurity flaws. Other connected children's toys have also proved vulnerable to hackers, including VTech's Learning Lodge app and the Fisher-Price Smart Toy, also a smart stuffed animal.

Both Hunt and Motherboard had said they were unable to get in touch with the company. What's more, cybersecurity experts who spoke with both Hunt and Motherboard said they tried in vain to reach the company to warn it of the exposed data.

Spiral Toys said in an email that it didn't receive emails from Victor Gevers, a cybersecurity researcher who told Motherboard he reached out to the company multiple times. Gevers sent CNET screenshots of his attempts to reach Spiral Toys via email, which he said bounced back to him, as well as a link to a tweet sent to the company. Spiral Toys didn't respond to questions about the screenshots.

Spiral Toys is a publicly traded company that currently has a stock value of 1 cent, leading Hunt to speculate it has shuttered operations.

Hunt found that the data was no longer publicly searchable after January 13. He also said there was compelling evidence the database had been copied by hackers, who then offered to give it back to Spiral Toys for a ransom paid in bitcoins. Hunt detailed two ransom demands.

Originally published Feb. 27 at 3:53 p.m. PT.
Updates, Feb. 28 at 5:44 a.m., 12:27 p.m. and 2:48 p.m.: Added response from Spiral Toys; added more information about the Spiral Toys response; added official statement from Spiral Toys.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility. Check it out here.

Technically Literate:Original works of short fiction with unique perspectives on tech, exclusively on CNET. You can read them here.