UPDATE (Mar. 1): In a statement to Global News, Spiral Toys said it was notified about a potential breach on February 22 and took immediate action to protect its customers.
“When we were informed of the potential security breach we carried out an internal investigation and immediately invalidated all current customer passwords to ensure that no information could be accessed. To our best knowledge, we cannot detect any breach on our message and image data, as all data leaked was password encrypted,” said a company spokesperson.
“We are committed to protecting our customer information and their privacy in order to ensure against any such incidents in the future.”
The company did not comment on claims of leaked voice recordings from parents and children.
Teddy bears aren’t as cuddly as they used to be. Instead of simple stuffing, many are loaded with technology designed to listen and interact with children – technology that, like any, is vulnerable to hackers.
On Monday, security researchers revealed Spiral Toys, maker of the interactive plush toy CloudPets, allegedly left more than 800,000 customer details and two million voice recordings from children and parents exposed on an unsecured database, potentially allowing hackers to listen in.
CloudPets allows parents to download an app and record voice messages to their child, which can be played through the toy. Kids are then able to squeeze the teddy bear’s arm to record their own message in return.
According to Motherboard, which confirmed the leaked data with researchers, the customer data was left on a database that wasn’t protected by a firewall or password.
The database was also found on Shodan, a search engine used to find unprotected Internet of Things (IoT) devices – a service frequently used by online trolls and hackers.
Spiral Toys did not respond to a request for comment from Global News regarding the leaked data.
But this is one of several recent examples worrying experts.
In 2015, electronic toy and education company VTech suffered a massive data breach, exposing more than 10 million customer accounts, including 6.3 million children’s user profiles – 316,000 of which were Canadian. It’s believed hackers were able to obtain children’s profile pictures, as well as chat logs between kids and parents.
WATCH: Massive VTech hack raise alarms over cybersecurity
Hello Barbie, a Wi-Fi connected interactive version of the world’s most famous doll, also caused a stir in 2015, after security researchers warned the doll could be easily hacked, leaving kids at risk of being spied on.
And, just last week, Germany’s federal communications watchdog banned the interactive My Friend Cayla doll from stores due to concerns hackers could obtain private conversation from the doll over an insecure Bluetooth connection.
“Be aware of all things ‘smart,'” warned Former Ontario information and privacy commissioner Ann Cavoukian. “You don’t know where that information is going.”
Cavoukian, who has been quite outspoken about the risk of devices like Smart TV’s eavesdropping on users, said parents should be aware of the numerous threats to their child’s privacy and safety when having these devices in their home.
“You can’t control who has access to that data,” she said, noting it’s not just hackers people have to be aware of. “Even if the companies that are monitoring that data employ good people, there could be one with perverse intentions.”
Experts have also warned children could be at risk for identity theft in the future, should personal information like their name, address, or date of birth be exposed.
“Even though there was no parent credit card information stolen, criminals can take that basic biographical information and pretend they are the child to commit identity theft,” Avner Levin, director of the Privacy and Cybercrime Institute at Ryerson University, told Global News in 2015.
Although there isn’t yet any data to back up these claims, using a child’s identity isn’t unheard of. In 2014, an Ontario woman was charged with allegedly using the identity of a child who died more than 40 years earlier.
“You must assume data like this will end up in other peoples’ hands. Whether it’s the Cayla doll, the Barbie, the VTech tablets or the CloudPets, assume breach,” wrote security researcher Troy Hunt in a blog post about the CloudPets’ breach.
“It only takes one little mistake on behalf of the data custodian – such as misconfiguring the database security – and every single piece of data they hold on you and your family can be in the public domain in mere minutes.
If you’re fine with your kids’ recordings ending up in unexpected places then sobeit, but that’s the assumption you have to work on because there’s a very real chance it’ll happen.”
Cavoukian personally recommends parents avoid toys with internet-connected features, or, at least, turn off their voice recording features if possible.