Internet-connected teddy bear company hacked; 2 million parent-child voice messages held ransom

A textbook case of security malpractice from CloudPets maker Spiral Toys.

A company selling internet-connected stuffed toys used by kids and parents to send voice messages to one another leaked 800,000 user account credentials and 2 million message recordings, according to security researcher Troy Hunt. The data was hacked, locked and held for ransom.

Researchers and journalists have been trying to reach the company, Spiral Toys, since late last year to confirm and fix the data breach and security problems for the CloudPets brand. No one has heard back from the manufacturers as the data hit the web and was passed around between hackers and researchers.

The magnitude of problems and the nature of the victims  small children and families — have set up the CloudPets hack to be a textbook-example security failure for a long time to come.

Spiral Toys is a virtually worthless company, according to its stock prices and activity. It does not appear to have a functioning phone number, and no one at Spiral Toys has answered an email on this issue for months, including messages sent Monday by CyberScoop.


CloudPets’ data is stored in a public-facing MongoDB database without any authentication required. The database was indexed by search engines like Shodan and found independently by multiple individuals. There was no password to protect the database. Users have no password requirements on their own accounts and the site itself offers no security.

In mid-January, as hackers attacked and ransomed thousands of critically vulnerable MongoDB databases, researchers saw the CloudPets database suffer the same fate. Unlike other databases, whose owners paid the ransom or at least responded to the demands, Spiral Toys appears to have been silent on the issue as the database was deleted and ransomed numerous times over the next several days.

Sensitive data was exposed, Hunt wrote, and no parents were ever notified.

“Circling back to the parents’ position for a moment, you must assume data like this will end up in other peoples’ hands,” Hunt wrote. “Whether it’s the Cayla doll, the Barbie, the VTech tablets or the CloudPets, assume breach. It only takes one little mistake on behalf of the data custodian – such as misconfiguring the database security – and every single piece of data they hold on you and your family can be in the public domain in mere minutes. If you’re fine with your kids’ recordings ending up in unexpected places then sobeit, but that’s the assumption you have to work on because there’s a very real chance it’ll happen.”

Latest Podcasts