CloudPets Connected Toys Leaked Voice Recordings Online

If you have never heard of CloudPets, it may well be because you have no kids. CloudPets are connected stuffed animals that allow parents to share voice messages with kids. The toys connected to mobile apps so that parents or loved ones could send a message to the child that was played back through the stuffed animal. Creating the account for the CloudPet requires naming the pet and entering an email address and a photo.

The catch is that the database that CloudPets sent all those voice messages to wasn’t secured and leaked millions of voice messages online. Security researcher Troy Hunt says that over 820,000 user accounts were exposed in the leak along with 2.2 million voice messages.

The security vulnerability allows anyone to see the personal information contained in the accounts including the voice recordings and photos. One nefarious person who accessed the data tried to hold it for ransom. The insecure database had been indexed by Shodan, which is a search engine meant specifically for finding devices that are leaking data and to allow users to take advantage of that leaked data.

Hunt says that the person who attempted to hold the data for ransom had deleted the data and left a message in its place demanding payment in bitcoin. Rather than pay the ransom, CloudPets simply restored the data. As of now the data isn’t publically accessible, but reports indicate that all the leaked passwords are still active. The rub here is that the company behind the CloudPets toys has been unresponsive to users and the leak could be a violation of California law.

“Normally I would say get in touch with the company involved, but CloudPets is non-responsive,” Hunt said. “I almost think the advice here is to get in touch with local regulators and make a complaint about this.”