A database containing account information used by children?EU?s stuffed toys has been hacked, exposing the personal details of hundreds of thousands of parents and their children.
The latest security debacle comes courtesy of toys called CloudPets. Marketed as ?EU?the message you can hug,?EU? the Bluetooth-enabled stuffed animals are connected to a cloud server, allowing parents and children to record and transmit voice messages through the toys.
However, those messages were being stored in an unsecured MongoDB database that could be indexed using the Shodan Internet of Things search engine, making it easy for hackers to download the database that contained as many as 820,000 email addresses, passwords and more than 2 million associated voice messages, according to reports.
Security blogger and researcher Troy Hunt wrote about his discovery of the leaked data on his Web site. ?EU?People found the exposed database online,?EU? Hunt said. ?EU?Many people and the worrying thing is, it’s highly unlikely anyone knows quite how many.?EU?
The database in question seems to include both staging and testing environments. What’s unusual is that both environments face the public Web despite containing real customer data, breaking the cardinal rule of never putting production data into a non-production system, Hunt said.
?EU?It also potentially exposes the production system (and production customer data) to developers building the software (another cardinal rule broken), but at this stage when it’s entirely open to the Internet anyway, that would be the least of their worries,” he said. “The point is, what’s disclosed . . . suggests the problems go deeper than data exposure alone.?EU?
But CloudPets aren’t the only new devices on the market giving heartburn to security and privacy experts. Amazon?EU?s personal assistant, Alexa, could be used to spy on consumers for the police.
At least, a prosecutor in Arkansas…