It’s like something out of a B-grade spy movie private conversations between family members overheard via a listening device installed in the kids’ teddy bear.
But for more than two million parents and their children worldwide, this has become a reality.
And all they did was buy a talking bear and install an app on their mobiles.
Passwords and email details have also been leaked in an internet hack of the popular children’s teddy bear toy from Cloud Pets.
Hackers have targeted the smart-toy range, which pairs a child’s teddy bear, unicorn or stuffed toy to an online mobile app where parents can pre-record messages for the bear to speak when a button is pressed.
Appearing on Channel Ten’s The Project, Internet security researcher,
Troy Hunt said he has launched website Have I Been Pwned? to act as a registry for parents to check if their security has been breached, and claimed thousands of Australian families could have been affected.
“It is hard to tell because we don’t have exact data on the geography of everyone. We know from previous data breaches it is normally around 1 per cent of people.
We are probably looking at some single-digit thousand Aussies,” he said.
Here it is:
– Toy captured kids voices
– Data exposed via MongoDB
– 2.2m recordings
– DB ransom’d
– And much more…https://t.co/HvePnZleXR— Troy Hunt (@troyhunt) February 27, 2017
Hey @CloudPets someone named S. Atan keeps sending messages to my kids’ cloud pets and the app won’t let me block him. Please help. pic.twitter.com/ETudxTQ0oA
— Handsome Neil (@MisterZoomer) January 29, 2017
He also said the origin of the security failure was a public database of the information applied to the bears that hackers managed to find online.
“Unfortunately, this one was ridiculously easy. The company that runs the service left their database public on the internet without a password and people found it. It was that simple,” he said.
“I think the thing that we are all most concerned about is these toys recorded kids’ voices. This is the entire design of it.
You leave a message for your father as a child or your mother and the relative then leaves a message for you on their phone and sends it back to the kids. So who is listening to it? That scares all of us with kids, I think.”
Australians are only able to purchase the toys online, so the exact number of people affected nationally is unknown.
Hunt has also said there is evidence to suggest hackers have been using the private information to hold people to ransom, according to News.com.au.
This is just horrible. Notified this morning that my data was hacked by my sons @CloudPets account. https://t.co/aMCgr84WfU
— Brian Christner (@idomyowntricks) February 28, 2017
No comment has come from Spiral Toys, the company behind the Cloud Pets brand, in relation to the hack.