Data from internet-connected smart teddy bears has been leaked and ransomed, exposing children’s voice messages and more than half a million customer accounts, according a security expert.
In a blog post, cybersecurity expert Troy Hunt says that an unnamed source contacted him about a data breach affecting the CloudPets range of stuffed animals. The Bluetooth-connected toys let parents upload and download messages to and from their children via an app.
The CloudPets database had allegedly been left exposed online.
“Someone sent me data from the table holding the user accounts, about 583k records in total,” wrote Hunt, in his blog post. “There are references to almost 2.2 million voice recordings of parents and their children.”
Hunt added that the information was sent to him by “someone who travels in data breach trading circles,” and said that others had also accessed the information. “The CloudPets data was accessed many times by unauthorised parties before being deleted and then on multiple occasions, held for ransom,” he wrote.
According to data received by Hunt, the 583,000 records were part of the larger database, which contained more than 820,000 users.
Technology news website Motherboard also reports that it was contacted about the breach independently by two security researchers in the last few weeks. With the help of the researchers, Motherboard was able to verify the legitimacy of the breach, it said.
Spiral Toys, the company behind CloudPets, has denied that customers were hacked. In a statement emailed to Fox News.com the Los Angeles-based firm said that it was notified of a potential breach on Feb. 22. "When we were informed of the potential security breach we carried out an internal investigation and immediately invalidated all current customer passwords to ensure that no information could be accessed," it said. "To our best knowledge, we cannot detect any breach on our message and image data, as all data leaked was password encrypted."
Spiral Toys is also requiring users to choose new increased security passwords. "An email will be sent out informing customers of the potential compromised login data and will give them a link to create a new password," it said.
The company added that its CloudPet services have been running safely since March 2015. "We are taking all steps necessary to continue to run safely on our production servers," it said. "We are committed to protecting our customer information and their privacy in order to ensure against any such incidents in the future."
Spiral Toys said that once customers' needs have been addressed and it has documented the incident, it will file the cyber-crime report with the State Attorney General in California.
Other internet-connected toys have also been grabbing headlines. The My Friend Cayla doll, for example, was recently banned by The Federal Network Agency in Germany amid hacking fears, although the doll’s German distributor insists it is safe to use. Hello Barbie has also been in the security spotlight in recent years, while electronic toy maker Vtech has been targeted by hackers.
Steven Malone, director of security product management at security company Mimecast told Fox News that users need to think carefully about the security implications of the Internet of Things, where a wide range of devices are connected to the web. "Just because you can connect a device to the Internet, it doesn’t mean you should!" he wrote.
Follow James Rogers on Twitter @jamesjrogers