Skip to Content
Security & privacy

First major “smart toys” data leak affects 2 million children

Innovative technologies are not just created for adults, everyone is able to get in on the fun. Children aren’t limited to hopscotch and marbles for entertainment anymore. Nowadays, kids can play learning games on the family tablet, video game apps and even take a drone helicopter out for a flight.

For the younger children, you might want to stick with simpler toys, like an internet connected stuffed animal. But are these Internet-of-Things (IoT) toys safe? Unfortunately, not all of them are.

It’s happened just as predicted: A major internet connected children’s toy has leaked the collected voices, email addresses and passwords of more than 2 million children and parents. And the manufacturer is hoping that no one will find out.

What data has been exposed?

What we’re talking about is an innocent looking teddy bear made by a California company called Spiral Toys. The impacted toys are a part of the company’s CloudPets line. The company has known about the data breach for two months but has yet to notify any of the affected families.

According to security researcher Troy Hunt, a Spiral Toys’ database that was not being protected by a password or Firewall was breached by hackers. The database was stolen by cybercriminals and they are now holding it hostage, demanding Spiral Toys pay a ransom to get it back. If the ransom is not paid, the hackers could sell the stolen data on the Dark Web.

There were actually two separate breaches involved in this incident. The first database that was breached stored over 2 million voice messages recorded by the smart toys. Private conversations from families and recordings of children alone playing with the toy were all taken.

In the second breach, Spiral Toys leaked users’ details of 800,000 accounts. The stolen data included both email addresses and passwords.

It’s outrageous that the toymaker has not informed its customers of the breach. Especially since the stolen data is extremely sensitive.

What’s more personal than family conversations? It’s hard to imagine how furious impacted parents will be when they find out this happened.

Watch the following video to see how these CloudPets toys work.

Note: If you are reading this article using the App, click here to watch a CloudPets demonstration video.

Click here to read Hunt’s entire blog post on this data breach.

These interactive children’s toys have been flooding the market over the past year. They are posing serious security and privacy issues. So much so that the U.S. government is getting involved.

What does the U.S. government recommend in dealing with IoT toys?

In December 2016, the U.S. Senate Committee on Commerce, Science and Transportation released a report titled Children’s Connected Toys: Data Security and Privacy Concerns. In its conclusion, the committee gave recommendations to both toy manufacturers and parents. Here is what the committee had to say:

“The growth in connected toys has created valuable benefits for both parents and children. However, connected toys pose certain privacy and security risks that, if exploited, could have lifelong impacts for affected children.

“Today’s smart toys can collect a range of information, including a child’s name, gender, birthdate, and location – as well as store a child’s pictures, text messages, and audio recordings. The potential risks are only expanding as both the prevalence and sophistication of these toys continue to grow.

“The failure by a single company to adequately secure its data can have serious implications for millions of children and their parents. Therefore, toymakers, the FTC, and parents should take responsive actions to protect the privacy and security of children.”

Here are the committee’s recommendations for parents:

Parents should be aware of the information a toy is collecting about them and their child. While most parents are not data privacy or security experts and therefore may not be in a position to evaluate a company’s policies regarding data collection and use, parents should nevertheless make efforts to learn about the ways in which a toymaker collects, uses and secures data – and reject connected toys that do not provide this information. Parents should:

  • See what personal information a toy will collect, how that information will be used, whether it will be shared, and how long the information will be retained. Often this information is addressed in the toy’s privacy policy. If the toymaker has a long and confusing privacy policy, or if parents determine that the toy collects too much personal information, parents may want to reconsider giving that product to their child.
  • Check whether the toymaker has been the subject of a data breach and how that breach was handled. In particular, parents can check whether the company offered any remedial measures after the breach, such as credit monitoring services.
  • Change default passwords that come with the toy to strong, unique passwords and install any available updates to the toy’s software.
  • Change privacy settings, if possible, to limit the amount of personal information provided to the toymaker. Allow the toy to only collect the information necessary for the toy to properly function.

Click here if you want to read the full report from the senate committee. And remember, when it comes to the security of your child, it’s always better to be safe than sorry. Do the research before giving them one of these internet connected toys.

More stories you can’t miss:

5 worst tech rip-offs and how to avoid them

One critical thing every car owner needs to know to prevent theft

Hackers locking users out of iPhones and iPads using stolen Apple IDs

Ask me your digital question!

Navigating the digital world can be intimidating and sometimes downright daunting. Let me help! Reach out today to ask your digital question. You might even be on my show!

Ask Me