Security News CloudPets Breached and Kids’ Voice Messages Exposed

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Security experts are warning of yet another major data breach involving a connected toy company, exposing over 800,000 user accounts and potentially the voice recordings made between parents and their children.

The firm behind the CloudPets platform was contacted multiple times from December onwards about a possible breach, after it was discovered that more than 820,000 user accounts were left exposed and publicly accessible in a MongoDB database with no password protection.

Then at the beginning of January the original database was deleted and a ransom demand left on the exposed system, according to researcher Troy Hunt.

Although passwords were protected with the bcrypt hashing algorithm, there was apparently no minimum requirement regarding password strength, meaning users were able to save a single-letter log-in credential if they wished.

“What this meant is that when I passed the bcrypt hashes into hashcat and checked them against some of the world's most common passwords (‘qwerty’, ‘password’, ‘123456’, etc.) along with the passwords ‘qwe’ and ‘cloudpets’, I cracked a large number in a very short time,” explained Hunt.

“Due to there being absolutely no password strength requirements whatsoever, anyone with the data could crack a large number of passwords, log on to accounts and pull down the voice recordings.”

Around 2.2 million voice recordings between parents and their children are thought to have been exposed following the breach.

However, remarkably, the California-based owner of CloudPets has hit back at reports, claiming that the breach was a “very minimal issue.”

"We have to find a balance," Spiral Toys CEO mark Myers told IDG of his decision to opt for minimal password security requirements. "How much is too much?"

The incident is certainly not the first involving a toy manufacturer.

In November 2015, Hong Kong-based VTech revealed an unauthorized party had accessed customer data, including that of children, after what turned out to be an SQL injection attack.

Also, earlier this month, the German telecoms regulator urged parents to bin the talking Cayla doll after it was revealed that hackers could use an insecure Bluetooth device in the toy to listen and talk to the child playing with it.

Internet Connected Bears Hack Exposes 2 Million Voice Messages, 800K Credentials
 

pauloalex409

Level 1
Sep 8, 2014
9
In first place they shouldnt collect data like that...Sorry for those who's data stolen was about... but this is for their learning kk ( I know they will keep doing it one way or the other nvm)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top