CloudPets Toys Expose 2 Million Messages Due To Unsecured Server, Hackers Held Data For Ransom
Several days ago, Germany banned a doll for spying on children and then Cloudbleed happened. Well, the problem has spilled over the United States after a security report revealed that close to a million CloudPets user accounts have been hacked. The compromised data include personal information as well as recorded messages of children talking to their toys.
It was found that the perpetrators even tried to hold the data for ransom. It is not yet clear if money did indeed change hands.
How Did It Happen?
CloudPets's main selling point is that children will be able to talk to their IoT toys, which include stuffed animals such as bears, dogs, and rabbits. There is also a dedicated mobile app that lets parents send their children messages while they are away.
In order for this to happen, CloudPets store messages and data in the cloud. Everything worked perfectly, communication has been seamless, and the toys served to increase children and parents bond.
Unfortunately, it seems that CloudPets has used an insecure cloud server, which exposed it to hackers. According to Troy Hunt, the security researcher who authored the report, the company did not install an authentication mechanism for access.
To demonstrate this, one can turn to how CloudPets data have been indexed by Shodan, which is a search engine that crawls vulnerable devices connected to the internet.
Hunt revealed that the hackers have accessed the CloudPets data and wiped it out for good measure. They then asked CloudPets to cough up Bitcoin money if they want the data restored.
"The CloudPets data was accessed many times by unauthorised parties before being deleted and then on multiple occasions, held for ransom," Hunt said.
Fortunately, the toy maker has backed up its data so the deleted files were immediately restored.
If you think that the problem ended then and there, you cannot be even more wrong. While CloudPets managed to retain the data, there is still the fact that information about its users are sitting in someone else's hard drive, getting read and analyzed by anonymous misfits.
Remember that the compromised data include 820,000 user accounts and includes up to 2.2 million recorded messages between children and their toys.
The CloudPets data seems to have been secured sometime in January as it is no longer publicly accessible since. However, according to CNN, CloudPets has kept its users in the dark about the breach, which could expose it to legal liability under a California statute that mandates an obligation on the part of companies to inform users if their personal details have been exposed online. The company, and its maker Spiral Toys, are based in California.
What is also notable in this whole affair is that some CloudPets consumers have spotted the vulnerability and promptly called the company's attention accordingly. Their letters were reportedly left unanswered.