Smart Teddy Bear Reportedly Exposed Private Data

Is nothing sacred anymore? This week, a smart teddy bear was hacked and inadvertently exposed some 2 million messages between kids and their parents as well as some 800,000 customer credentials, like emails and passwords, according to Motherboard. According to cyber security expert Troy Hunt, who broke the story on his blog, between Christmas Day last year and the first week of January, Spiral Toys allegedly left the messages between parents and kids on their servers without any firewall. Two data researchers, and possibly hackers, were able to access the data. Romper's request for comment from Spiral Toys, the CloudPets manufacturer and the company behind the smart teddy bears, was not immediately returned.

The exposed data reportedly included messages to and from parents and kids, as well as emails and passwords — no credit card numbers or anything. But still, an email and a password — one that everyone in the whole family knows — can go a long way in a hacker's hands. And while listening to a toddler tell his mommy that he loves her doesn't sound like fun, that information could still be used in any number of ways to exploit or track children as well.

Earlier this month, The Telegraph reported that a smart Fisher Price bear was also hacked. Although the company contracted to manage the data ensured Fisher Price that it wasn't sending anything children said over the internet, vulnerabilities were exposed. Like the Fisher Price bear, the CloudPets connect to an app, and there is no camera or video feature.


But other smart toys on the market do. Last week, the My Friend Cayla doll was banned in Germany because it could potentially be used for spying. Kayla is cute and acts like Siri in that you can ask her questions and she can have a basic conversation. According to The Washington Post, if you ask her if you can trust her, she says, "I don't know" (which many thought was a bit creepy, despite how cute the doll was). The German doll actually transmitted video and audio to a voice recognition company in the United States, where it too was reportedly and unintentionally open to hackers.

Germany banned the doll because officials feared that hackers could use it to gather personal information on families or use the video and audio of children in other ways. Others were concerned about what hackers might be able to do with the related voice recognition company's data.

Even if there was no imminent danger in the latest hack, the message is clear: smart toys may not always be as secure as you might hope, despite companies' best efforts. Sure, the toys are undoubtedly cool (CloudPets ship free to active duty military, for example, which is adorable and heartwarming), but when any data is managed by humans, the data is bound to be exposed eventually if it's not properly contained — and that means everyone should be concerned over security details.