2017 CloudPets data breach

{{Short description|Internet-connected soft toy line}}

CloudPets were a line of Internet-connected soft toys manufactured by now defunct Spiral Toys that was the subject of numerous security vulnerabilities in February 2017.{{Cite news|url=https://www.forbes.com/sites/leemathews/2017/02/28/cloudpets-data-leak-is-a-privacy-nightmare-for-parents-and-kids/|title=The Latest Privacy Nightmare For Parents: Data Leaks From Smart Toys|last=Mathews|first=Lee|work=Forbes|access-date=2017-08-06}}{{Cite news|url=http://www.networkworld.com/article/3175225/security/smart-teddy-bears-involved-in-a-contentious-data-breach.html|archive-url=https://web.archive.org/web/20170301091801/http://www.networkworld.com/article/3175225/security/smart-teddy-bears-involved-in-a-contentious-data-breach.html|url-status=dead|archive-date=March 1, 2017|title=Smart teddy bears involved in a contentious data breach|last=Kan|first=Michael|work=Network World|access-date=2017-08-06|language=en}} The plush teddy bear-style toys used Bluetooth to connect to a parent's smartphone to allow distant family members to send voice messages to the toy, and allow children to send voice messages back.{{Cite news|url=https://www.theguardian.com/technology/2017/feb/28/cloudpets-data-breach-leaks-details-of-500000-children-and-adults|title=CloudPets stuffed toys leak details of half a million users|last=Hern|first=Alex|date=2017-02-28|work=The Guardian|access-date=2017-08-06|language=en-GB|issn=0261-3077}}

Security researchers demonstrated that the toy itself was insecure and could be trivially accessed via Bluetooth. The personal records of over 820,000 owners of the toy{{Cite web|url=https://money.cnn.com/2017/02/27/technology/cloudpets-data-leak-voices-photos/index.html|title=Stuffed toys leak millions of voice recordings from kids and parents|last=Larson|first=Selena|date=2017-02-27|website=CNNMoney|access-date=2017-08-06}} were stored in an insecure MongoDB database. Attackers also replaced the database with a ransom demand pointing to a Bitcoin address.{{Cite news|url=https://www.bbc.co.uk/news/technology-39115001|title=Children's messages in CloudPets data breach|date=2017-02-28|work=BBC News|access-date=2017-08-06|language=en-GB}} Data retrieved from the CloudPets database was sent to the Australian security researcher Troy Hunt who included it in Have I Been Pwned?, a database of users whose data has been compromised. The database of user records also contained links pointing to over 2.2 million audio files hosted on Amazon Web Services containing the voice messages sent to and from the toys.{{Cite news|url=http://www.computerweekly.com/news/450413962/CloudPets-data-breach-underlines-need-for-secure-cloud-apps|title=CloudPets' data breach underlines need for secure cloud apps|work=ComputerWeekly|access-date=2017-08-06|language=en-GB}} Hunt stated that the database hack was "ridiculously easy".{{Cite news|url=http://www.huffingtonpost.com.au/2017/02/28/millions-of-private-messages-between-parents-and-kids-hacked-in_a_21816860/|title=Millions Of Private Messages Between Parents And Kids Hacked In Cloud Pets Security Breach|last=Cooper|first=Luke|date=2017-02-28|work=Huffington Post|access-date=2017-08-06|language=en-AU}}

Following disclosure of security vulnerabilities, CloudPets started enforcing stronger password requirements on users of the service—they had previously not enforced any password complexity requirements and their documentation had suggested short, weak passwords. Numerous journalists and security researchers including Hunt noted that the company was non-responsive to disclosures from security researchers and enquiries from journalists.