Toy Company Blackmailed After Data Breach

It’s hard to imagine what harm might come from a few cuddly stuffed bears...

When it comes to kids’ toys, it’s hard to imagine what harm might come from a few cuddly stuffed bears, dogs and rabbits. This may be true about my 2-year-old’s favorite naptime friend that she received from an insurance agent at the mall, but not all toys fall into this most basic of categories.

One company, Spiral Toys, is now in the spotlight over some of its internet connected huggables. Dubbed “CloudPets,” its line of stuffed toys connect to mobile apps and let parents and loved ones send messages to their children that come through as voice recordings. But Bloomberg is reporting that there’s danger lurking behind those glassy eyes because, you guessed it, the company left its data vulnerable to breach, and breached it was.

Bloomberg says that the CloudPet conversations were recorded and stored -- along with users' encrypted passwords -- on an unprotected server that belonged to a Romanian company called mReady. When hackers realized the database didn't require authentication to access it, they found themselves among 820,000 user accounts and 2.2 million voice recordings. And while access to the existing recordings of you and your kids is weird enough, the security gap also left the toys open to outside parties uncovering ways to communicate with your children – not to mention each account was stocked with the child’s name and photo.

And once the hackers had their hands on the data, they got aggressive – CNN says once the system was breached, someone deleted the data, and posted a ransom note, attempting to extort Spiral Toys for an undisclosed amount in Bitcoin in order to get its data back.

It appears instead that Spiral Toys was able to restore the data from a backup, not that they even cared because the small company, as of mid-2016, had stopped making toys anyway. And since Spiral Toys has basically bailed on the business, they never actually informed their customers of the breach – which could be a violation of the law. But we’ll let them deal with that. For any of you CloudPet owners out there – change your passwords. It’s easily possible these malicious actors kept a copy of this data. Or, better yet, swap these toys for something a little less creepy.

I’m Anna Wells and this is IEN Now.

More in Regulation