The database behind an internet-connected cuddly toy exposed the account information of over 800,000 users, while a database of over 2 million voice recordings of children and their parents was stored in a way which left them easily searchable on the internet.
Email addresses of over 820,000 users of the CloudPets were stored in a MongoDB database within a publicly facing network segment, which could be searched without any authentication by using the Shodan IoT search engine, according to the report from cybersecurity researcher Troy Hunt.
Many of the passwords for the CloudPets accounts were easily crackable because no rules for password strength were enforced, meaning they could be just one character long. As Hunt points out, even the company's own 'Getting Started' video features a weak password -- just 'qwe', a three character sequence made up of keys next to each other on a keyboard.
Many CloudPet users had mimicked the video, selecting 'qwe' as their password. Other poor passwords included 'qwerty', 'password', and '123456'.
Hunt said it was possible to access voice recordings from a database of 2.2 million files, exposing the conversations children and their parents had with the toys to strangers online.
"The services sitting on top of the exposed database are able to point to the precise location of the profile pictures and voice recordings of children," said Hunt.
Despite cybersecurity researchers pointing out these flaws, Spiral Toys, which makes the CloudPet toys, denied that security was compromised.
"Were voice recordings stolen? Absolutely not," Spiral Toys CEO Mark Myers told Network World. However, he did concede that the company should improve the password policy for CloudPets. "Maybe our solution is to put more complex passwords," he said.
It's not the first time toy manufacturers have been criticised for poor internet security in their products; just two weeks ago, German regulators warned that the My Friend Cayla doll could compromise the privacy of children.