The FBI team told parents that many Internet of Things (IoT) toys with cloud-backed features such as speech recognition or online content hosting "could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed."
"Security safeguards for these toys can be overlooked in the rush to market them and to make them easy to use. Consumers should perform online research of these products for any known issues that have been identified by security researchers or in consumer reports," a spokesperson for the FBI said.
In February 2017, a series of web-connected, app-enabled IoT toys called CloudPets were hacked, exposing 800,000 user account details and voice messages left by children.
Since December 25, 2016 until the first week of January 2017, Spiral Toys left customer data of its CloudPets brand on a database that wasn't firewall protected, and a result, more than 800,000 emails and passwords were exposed.
In the beginning of January several cybercriminals were actively scanning the internet for exposed MongoDB's databases to delete their data and hold it for ransom, and CloudPets' data was overwritten twice, according to researchers.
This latest development and warning from the FBI advises parents to not only review what the toys collect and transmit, but also the privacy policies they operate under.
Additionally, parents are advised to only operate connected toys on trusted Wi-Fi networks, and to make sure the firmware and patches are installed for apps and connected devices.
"Bluetooth-connected toys that do not have authentication requirements (such as PINs or passwords) when pairing with the mobile devices could pose a risk for unauthorized access to the toy and allow communications with a child user," the FBI said.
"It could also be possible for unauthorized users to remotely gain access to the toy if the security measures used for these connections are insufficient or the device is compromised."