2017-03-13, 10:43:36 am (This post was last modified: 2017-03-13, 11:35:41 am by thirthy_speed. Edited 3 times in total. Edit Reason: added VTech hack )
This was reported about 2 weeks ago (Feb. 28) but I just came across it while looking at some Vault 7 news coverage.
Web security expert Troy Hunt (who runs HaveIBeenPwned) has an excellent writeup on the entire episode. You can also find a less detail-heavy article about this on Motherboard Vice.
The CloudPets' teddy bear is connected to the internet to allow parents and children to record and send each other audio messages when they're far apart. You can watch CloudPets' promotional video to see how it works.
What happened is that on Dec 30 or 31st, someone found out that they can access CloudPets' MongoDB database without any authentication. The database contains users' email and bcrypt-hashed password. Even though the passwords were hashed, CloudPets didn't impose any password rules (e.g. minimum length, numbers, uppercase letters) on their users which meant that a lot of the passwords were very weak, as Hunt verified when he tested with hashcat. In fact in their own video tutorial, the password used was "qwe". Once you have an account's password, you can then access pictures and audio recordings for that account via CloudPets' app.
The researchers/journalists tracking this breach also noted 3 separate incidents on Jan 7 and 8 where the original databases were deleted and a ransom demand was made.
To make things worse, numerous attempts were made to contact the company behind CloudPets, Spiral Toys, since Dec 30th last year via their support email, email listed on their WHOIS record, the email of their hosting provider Linode among other channels but there was no response from Spiral Toys up until recently (Feb 27). In any case, there were no more publicly accessible database after Jan 13 on that IP address.
Troy Hunt's article linked above has a point-by-point rebuttal of inaccuracies in Spiral Toys' response (it's under the headings "Updates I" and "Updates 2").
From what I read, the company has also not informed users about the breach in this two months since it has been discovered. One thing I don't really understand is why are news report about this data breach only published 2 weeks ago even though the breach itself took place more than 2 months ago.
If this is not bad enough, there has also been another recent revelation that anyone with a smartphone within 10m (or further if you use directional antennas) can connect to CloudPets toys via Bluetooth and send or receive command/data e.g. sending terrifying audio recordings to the toys. The security researcher who disclosed this, Paul Stone, said that this is possible because the toys don't use Bluetooth security features like pairing which would allow for authentication/encryption. Technical details of this disclosure can be found on Stone's blog post. The code he used for hacking the toy is hosted on Github.
Something similar happened back in Nov. 2015: the database of a HK-based kid's gadget company VTech was hacked using SQL injection and leaked details of 4.8+ mil accounts. The database included private information like name, address, ip, and even children's headshots and chat logs. Links: Vice Motherboard's coverage part 1 and part 2, Troy Hunt's writeup, and VTech's press release.