CloudPets was an Internet-connected

soft toy A stuffed toy is a toy doll with an outer fabric sewn from a textile and stuffed with flexible material. They are known by many names, such as plush toys, plushies, stuffed animals, and stuffies; in Britain and Australia, they may also be cal ...

manufactured by now defunct Spiral Toys that was the subject of numerous security vulnerabilities in February 2017. The plush

teddy bear A teddy bear is a stuffed toy in the form of a bear. Developed apparently simultaneously by toymakers Morris Michtom in the U.S. and Richard Steiff under his aunt Margarete Steiff's company in Germany in the early 20th century, the teddy bear, ...

-style toys used

Bluetooth Bluetooth is a short-range wireless technology standard that is used for exchanging data between fixed and mobile devices over short distances and building personal area networks (PANs). In the most widely used mode, transmission power is limi ...

to connect to a parent's smartphone to allow distant family members to send voice messages to the toy, and allow children to send voice messages back. Security researchers demonstrated that the toy itself was insecure and could be trivially accessed via Bluetooth. The personal records of over 820,000 owners of the toy were stored in an insecure

MongoDB MongoDB is a source-available cross-platform document-oriented database program. Classified as a NoSQL database program, MongoDB uses JSON-like documents with optional schemas. MongoDB is developed by MongoDB Inc. and licensed under the Serve ...

database. Attackers also replaced the database with a

ransom Ransom is the practice of holding a prisoner or item to extort money or property to secure their release, or the sum of money involved in such a practice. When ransom means "payment", the word comes via Old French ''rançon'' from Latin ''red ...

demand pointing to a

Bitcoin Bitcoin ( abbreviation: BTC; sign: ₿) is a decentralized digital currency that can be transferred on the peer-to-peer bitcoin network. Bitcoin transactions are verified by network nodes through cryptography and recorded in a public distr ...

address. Data retrieved from the CloudPets database was sent to the Australian security researcher

Troy Hunt Troy Adam Hunt is an Australian web security consultant known for public education and outreach on security topics. He created Have I Been Pwned?, a data breach search website that allows users to see if their personal information has been com ...

who included it in

Have I Been Pwned? Have I Been Pwned? (HIBP; with "Pwned" pronounced like "poned", and stylized in all lowercase as "';--have i been pwned?" on the website) is a website that allows Internet users to check whether their personal data has been compromised by ...

, a database of users whose data has been compromised. The database of user records also contained links pointing to over 2.2 million audio files hosted on Amazon Web Services containing the voice messages sent to and from the toys. Hunt stated that the database hack was "ridiculously easy".{{Cite news, url=http://www.huffingtonpost.com.au/2017/02/28/millions-of-private-messages-between-parents-and-kids-hacked-in_a_21816860/, title=Millions Of Private Messages Between Parents And Kids Hacked In Cloud Pets Security Breach, last=Cooper, first=Luke, date=2017-02-28, work=Huffington Post, access-date=2017-08-06, language=en-AU Following disclosure of security vulnerabilities, CloudPets started enforcing stronger password requirements on users of the service—they had previously not enforced any password complexity requirements and their documentation had suggested short, weak passwords. Numerous journalists and security researchers including Hunt noted that the company was non-responsive to disclosures from security researchers and enquiries from journalists.

References

2010s toys Teddy bears Hacking in the 2010s Cyberattacks Internet of things Electronic toys Criticisms of software and websites Toy controversies

See also

References