Since December 25, 2016 until the first week of January 2017, Spiral Toys left customer data of its CloudPets brand on a database that wasn't firewall protected, and a result, hackers were able to obtain the information, locked it and held it for ransom.
CloudPets allow parents to record a message for their children on their phones, which then arrives on the Bluetooth connected stuffed toy and is played back.
Kids can squeeze the stuffed animal's paw to record a message of their own, which is sent back to the phone app. According to sources, the Android app has been downloaded over 100,000 times.
The data was found on the MongoDB, a free and open-source cross-platform document-oriented database program, because the information was unprotected.
As a result of the breach, more than 800,000 emails and passwords were exposed.
The time during which the data was exposed, there were at least two security researchers that enabled malicious hackers to get hold of it. In fact, at the beginning of January, several cybercriminals were actively scanning the internet for exposed MongoDB's databases to delete their data and hold it for ransom, and CloudPets' data was overwritten twice, according to researchers.
So how exactly did this happen? The central database for CloudPets' voice messages and user info was stored on a public-facing MongoDB server, which was easy to hack into as the security protecting the passwords and usernames was very basic, according to sources.
The same database apparently connected to the stored voice messages that could be retrieved by the apps and toys.
Easy access and poor password requirements may have resulted in unauthorized access to a large number of accounts. The database was finally removed from the server in January, but not before demands for ransom were left.
The toys, which are internet-connected and known as the Internet of Things or IoT devices, were open to security breaches as the data itself is easily hackable.
According to tech experts, if you are a parent who doesn't want your loving messages with your kids leaked online, you might want to buy a good old-fashioned teddy bear that doesn't connect to a remote, insecure server.
Here it is:— Troy Hunt (@troyhunt) 27 February 2017
— Toy captured kids voices
— Data exposed via MongoDB
— 2.2m recordings
— DB ransom'd
— And much more…https://t.co/HvePnZleXR
This was a major security breach; however, according to some, it only goes to show how the IoT is a real and present danger.
The police authorities in the US warned consumers that internet-connected devices, from medical devices to security systems, can be potential targets for malicious cybercriminals.
Security experts believe the tech industry needs to figure out how to secure the IoT now, while the architecture is still being developed. That means building in features such as encryption, authentication and the ability to remotely update devices now.
"It only takes one little mistake on behalf of the data custodian […] and every single piece of data they hold on you and your family can be in the public domain in mere minutes," Hunt said.
"If you're fine with your kids' recordings ending up in unexpected places then so be it, but that's the assumption you have to work on because there's a very real chance it'll happen," he added.
The danger of the IoT, according to some tech experts, is no child's play, and cybersecurity experts are calling on governments to try and make it more secure.