Smart teddy bear maker faces scrutiny over data breach response

Smart teddy bear maker faces scrutiny over data breach response

Did a toymaker ignore warnings about a data breach? That’s a key question swirling around Spiral Toys, a company behind a line of smart stuffed animal

Old Malware Gives Criminals Tricky New Choice: Ransomware or Mining
Who Was the NSA Contractor Arrested for Leaking the ‘Shadow Brokers’ Hacking Tools?
19K Orange Livebox Modems Open to Attack

Did a toymaker ignore warnings about a data breach? That’s a key question swirling around Spiral Toys, a company behind a line of smart stuffed animals that security researchers worry can be easily hacked.

On Tuesday, Spiral Toys said the breach, which affects 800,000 user accounts, only came to its attention last week on Feb. 22.

The statement is raising eyebrows. One researcher named Victor Gevers began contacting the toymaker about the problem in late December, when he noticed that a company MongoDB database storing customer information was publicly exposed.

Gevers has even documented his efforts to contact Spiral Toys, which involved email, sending a message to its CEO over a LinkedIn invite, and working with a journalist from Vice Media to try and warn the company about the breach.

Despite those attempts, he never received a response.

The breach only managed to grab headlines on Monday when another security researcher named Troy Hunt blogged about it.  

Clashing views

The toys in question, which are sold under the CloudPets brand, can allow parents and their children to send voice messages through the stuffed animals over the internet. However, Hunt found evidence that hackers looted the exposed MongoDB database that stored the toys’ customer login information.

“Anyone with the data could crack a large number of passwords, log on to accounts and pull down the voice recordings,” he said.

COMMENTS