Stuffed toys leak millions of voice recordings from kids and parents

Stuffed toys leak millions of voice recordings from kids and parents

Recorded messages spoken to teddy bears could pose privacy risks for children, CNN reports.

A security vulnerability allowed anyone to view personal information, photos and recordings of children's voices from CloudPets toys. And at one point, some people tried to hold all of that information for ransom.

According to a report compiled by security researcher Troy Hunt, over 820,000 user accounts were exposed. That includes 2.2 million voice recordings.

"I suspect one of the things that will shock people is that they probably didn't think through the fact that when you connect the teddy bear, your kids voices are sitting on an Amazon server," Hunt said.

CloudPets toys connect to mobile apps and let parents and loved ones send messages to their children that are played through the stuffed animals. When you create an account with CloudPets, you give it your child's name, an email address and a photo.

Like other toys that connect to the internet, CloudPets stores all that data in the cloud, not on your smartphone itself. The toys launched in 2015, and include stuffed bears, dogs, cats and rabbits.

But as Hunt and other investigators found, kids' information was stored in an insecure database that didn't require authentication to access it. As Hunt explained to CNNTech, it takes one mistake to expose this data -- the error on the database was a bit like not having a pin on your smartphone.

This database was indexed by Shodan, which is a search engine for finding insecure devices connected to the internet. You can use it to see if popular devices (like toys) are leaking data -- you can also use it to take advantage of insecure systems.