Cuddly toys that connect to the internet and can send messages back and forth between kids and their parents, grandparents, or other adults who love them seem like a great idea.
But a toy that does just that has left more than 800,000 emails and passwords of its customers vulnerable to hackers, Motherboard reports. It also exposed more than 2 million recordings from children and their families.
Spiral Toys — which owns CloudPets, the offending toy — left data on an unprotected server between Christmas of 2016 and the first week of January, Motherboard reports. During that time, at least two hackers likely got ahold of it and many of the password were so weak they could easily be figured out, Troy Hunt, a security researcher who has analyzed the CloudPets data, told Motherboard.
Many of the billions of cyberattacks in recent years happened because people have passwords that are too simple, Refinery29 previously reported. But even if the people exposed in the CloudPets hack had unbreakable passwords, their information might not have been safe.
"It only takes one little mistake on behalf of the data custodian and every single piece of data can be in the public domain in mere minutes," Hunt wrote in a blog post about the incident. "If you're fine with your kids' recordings ending up in unexpected places then so be it, but that's the assumption you have to work on because there's a very real chance it'll happen."
Victor Gevers, the chairman of the non-profit GDI Foundation which discloses security issues to affected victims, told Motherboard that the exposed data contained 821,396 registered users, 371,970 friend records (profile and email) and 2,182,337 voice messages.
Although the thought behind CloudPets is sweet, and seems like something any kid with far-away family would love, it might be best to stick to phone calls and regular old stuffed animals.