Over two million voice recordings from parents and children along with 800,000 account credentials have been exposed; all because of internet-connected teddy bears and poorly secured MongoDB databases.
CloudPets is a brand of
internet of shit teddy bears that, along with an accompanying mobile app, allowed parents and children to leave special messages for each other. The idea is sweet for parents who are often away from their kids. Unfortunately, due to the woeful security practices of Spiral Toys, the company that made CloudPets, those messages have not been kept private.
Details of the audio files for CloudPets, as well as customer information, were stored in a database that was atrociously insecure. According to security expert Troy Hunt who disclosed the issue:
[T]hat data was stored in a MongoDB that was in a publicly facing network segment without any authentication required and had been indexed by Shodan (a popular search engine for finding connected things).
Hunt obtained a portion of the exposed database and verified that the information inside was the real deal. Working with other researchers, he found that over 800,000 account credentials for CloudPets were on the database. These included usernames, email addresses and hashed passwords, some of which were easily cracked due to CloudPets' lack of password strength rules.
Hunt's group also found references to 2.2 million voice recordings of parents and their children exposed by CloudPets' databases. The voice recordings themselves were not stored in the database but Hunt did some digging and found them stored in an Amazon S3 bucket with no authorisation required.
"The services sitting on top of the exposed database are able to point to the precise location of the profile pictures and voice recordings of children," Hunt said.
But it gets worse. As one of the researchers involved discovered:
There were many malicious parties taking action against exposed databases during this period and we frequently saw the same system accessed multiple times by different actors, each demanding their own ransom. It wasn't until January 13 that Shodan reported no publicly accessible databases remained on CloudPets' IP Address.
Spiral Pets had been notified by multiple security researchers since December 2016. Spiral Toys has yet to issue a response but it appears that the company may have gone out of business. Good riddance. If only it had bothered to clean up the security mess it has left.
You can read a detailed account of the CloudPets saga over at Troy Hunt's blog.
'.Red Cross has inadvertently leaked the personal information of 550,000 blood donors after publishing a backup database containing the data onto a publicly exposed web server. Security expert Troy Hunt has labelled this Australia's largest ever leak of personal and criticised Red Cross' security practices. Here's exactly what kind of data was included in the database..'