Cloudpets sound like a cool idea. Use a teddy bear as a microphone and speaker to allow children to communicate with loved ones. It’s such a great idea that over 800,000 of the stuffed animals have been sold. How do we know this? Because the company has no clue how to do security.
A maker of Internet-connected stuffed animal toys has exposed more than 2 million voice recordings of children and parents, as well as e-mail addresses and password data for more than 800,000 accounts.
The toys record and play voice messages that can be sent over the Internet by parents and children. The MongoDB database of 821,296 account records was stored by a Romanian company called mReady, which Spiral Toys appears to have contracted with.
The database was completely open on the internet, and could be accessed without a password. What’s worse is that the recordings were stored on Amazon storage, again without a password. This means the attacker had full access to everything.
Security is hard to do, but apparently, Cloudpets thought that using a password was too hard.