Everyone parent loves getting his kids the latest cool toys available, but some of them are straight-up dangerous, especially the ones which are able to connect to the Internet, like CloudPets. As a matter of fact, these adorable little plush toys have managed to leak 800,000 user account credentials and also 2 million message recordings for who wants to listen to.
It seems that in between Christmas and the first week of January, the company behind these CloudPets, Spiral Toys, has left customer data on a database which was not even protected by a firewall or even a password. Search engine Shodan was often used to find these unprotected websites and servers. It was put to use to find this MongoDB database where all data from the CloudPets was stored.
So, what was exposed? more than 800,000 emails with passwords. Thank god, they are secured with bcrypt, a hashing function which is harder and stronger to crack than others. The Troy Hunt, security researcher who is behind Have I Been Pwned, has analysed the CloudPets data and he claims that a huge number of these passwords are so weak, they might have already been cracked by now.
In just the weeks the data was exposed, a couple of security researchers, as well as the malicious hackers, got their hands on this information. It also seems that several cyber criminals have got their hands on this database and held it for the ransom, as the data in CloudPets’ was overwritten twice as of now.
“It only takes a little mistake on behalf of data custodian – like misconfiguring the database security – and every single piece of the data they hold on you can be in public domain in just minutes,” Troy Hunt writes in a blog post. He adds that, without any doubt, there are many connected toys with serious security vulnerabilities.