Internet-connected Cloud Pets stored recordings online and put associated data in an unprotected database for hackers to find.
Since Christmas day of last year and at least until the first week of January, Spiral Toys left customer data of its CloudPets brand on a database that wasn't behind a firewall or password-protected. The MongoDB was easy to find using Shodan, a search engine makes it easy to find unprotected websites and servers, according to several security researchers who found and inspected the data. … During the time the data was exposed, at least two security researchers, and likely malicious hackers, got their hands on it. In fact, at the beginning of January, during the time several cybercriminals were actively scanning the internet for exposed MongoDB's databases to delete their data and hold it for ransom, CloudPets' data was overwritten twice, according to researchers.
Security researcher Troy Hunt reports that the snuggly spies, from Spiral Toys, "represents the nexus" of the problem with internet-connected appliances and toys: children being recorded, data being leaked, and the technical possibility of surreptitious access to children through networked toys. "The best way to understand what these guys do is to simply watch the video [advertisement for the toy]."
Here it is:
– Toy captured kids voices
– Data exposed via MongoDB
– 2.2m recordings
– DB ransom'd
– And much more…https://t.co/HvePnZleXR
— Troy Hunt (@troyhunt) February 27, 2017
Clearly, CloudPets weren't just ignoring my contact, they simply weren't even reading their emails.
4 attempts (that we know of) were made to contact CloudPets and warn them of this risk. …
By now it's pretty obvious that multiple parties identified the exposed database, it remained open for a long period of time and it exposed some very personal data. It would be a safe bet to assume that many other parties located and then exfiltrated the same data because that's what people do; scanning for this sort of thing is enormously prevalent and that data – including the kids' and parents' intimate audio clips – is now in the hands of an untold number of people. But it gets even worse again…
Moreover, the company seems clueless about the problem and is responding negatively to criticism.
@lorenzoFB "We did have a reporter, try to contact us multiple times last week, you don't respond to some random person about a data breach.
— Michael Kan (@Michael_Kan) February 28, 2017
— Internet of Shit (@internetofshit) March 2, 2017
"FREE Shipping for Active Duty Military!"