You can be on Entrepreneur’s cover!

Connected Teddy Bears Leaked Kids' Voices Online The supposedly private messages were even held for ransom.

By Jon Fingas

entrepreneur daily

This story originally appeared on PCMag

CloudPets via engadget

When Germany banned a connected doll over security concerns, it wasn't being overly cautious. As it turns out, there's a textbook example of what happens when toy data privacy goes horribly wrong.

Security researchers have discovered that Spiral Toys' internet-savvy teddy bears, CloudPets, stored kids' voice messages to their parents (not to mention names and birthdays) in an insecure, misconfigured database that anyone could access online. While the passwords for the toys' accounts (more than 821,000 of them) were stored in a cryptographic hash, there was no password strength limit -- it was trivial to crack many accounts and download voice data at will. And it gets worse.

Info security expert Niall Merrigan found evidence that the databases were compromised. Intruders copied the databases, deleted the originals and demanded a payment in bitcoin to get the data back. Given that the databases appeared to be completely gone by Jan. 13, it doesn't appear that Spiral gave into or acknowledged the demands.

As for Spiral's response? There is none, and might never be. Microsoft's Troy Hunt and others have tried reaching out to Spiral multiple times to no avail, and the company doesn't appear to have notified customers despite obvious signs that something was amiss. From all indications, the company is on life support or dead: its social media accounts have been silent for months and its stock price is near worthless.

The kicker is that a lot of this would be entirely avoidable. Rapid7 security research director Tod Beardsley tells Engadget that all of the flaws have could been addressed, but that Spiral seems "uniquely uninterested" in taking them on. While Rapid7 tends to get responses from companies "about 70 percent of the time" and almost always sees them implement a fix or workaround when they get in touch, it's "increasingly rare" for a company to go completely silent.

Between this incident and revelations for other products, it's clear that connected toy makers are walking on glass when they decide to put kids' communications online. Even if a company doesn't do anything shady, such as passing the info along to irresponsible third-parties, it can only take a slip-up to expose extremely sensitive messages to the world. And that's assuming skilled hackers don't find it first, or that the company doesn't go belly-up without a firm plan to erase stored data.

This doesn't mean that companies should abandon internet-capable toys altogether, but they need both weigh the merits of storing any info online and take very, very through precautions to make sure that leaks like this can't happen.

Jon Fingas is an associate editor at Engadget.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Editor's Pick

Business News

'Wildly Inappropriate': Woman Says She Was Denied a Job Because She Didn't Wear Makeup During the Interview

Melissa Weaver was applying for a VP of HR job at a tech company via video.

Business News

From Tom Brady to Kevin O'Leary – See Who Lost Big in the Wake of the FTX Crypto Collapse

The crash exposed an $8 billion hole in FTX's accounts, leaving investors and customers scrambling to recoup their funds.

Business News

This Highly-Debated Piece of Cinematic History Just Sold For Over $700,000 at Auction

The wood panel from "Titanic" is often mistaken as a door. Either way, he couldn't have fit. (Sorry.)

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.