More than 2 million recorded messages of a ‘smart teddy bear’ that allows children to record messages, and sent them to others, were leaked on the internet. The affected teddybears are from the brand CloudPets, part of Spiral Toys.
Children can sent messages through the teddy bear to e.g. their parents through the CloudPets app and parents can reply to them. However, these messages were stored in an unprotected MongoDB database that was accessible by everyone. The database contained 2.2 million messages, according to security researcher Troy Hunt. Besides the recordings, also 820,000 users accounts were stored in the unsecured database.
The issue was discovered because Hunt was contacted by a user who didn’t receive a response when he tried to warn CloudPets several times about the database being accessible for everyone.
The type of database (MongDB) in which the messages were stored has been targeted by cybercriminals for some time already. There are known cases where MongoDB databases owners had to pay a ransom to gain access to their data again. According to Hunt also the database from CloudPets had been ransomed in the past.
Therefore Hunt argues that CloudPets should have known that their database was unprotected, but parents were never informed about the data breach. A possible reason is that the company is in financial trouble, its shares are worth less than half a cent and the entire company is worth less than 99% of its peak value.
Hunt also was unable to contact the company but somehow the unprotected database is no longer accessible.