Troy Hunt reports that a misconfigured MongoDB installation resulted in audio files of children’s and parents’ conversations recorded by CloudPets being exposed in a Shodan search. And as we’ve seen many other times, the exposed files were deleted by an attacker, and a purported “ransom” note left in place of the database – a ransom note that was then stomped on by another attacker’s note. Whether either of those attackers actually exfiltrated the data and saved a copy is unknown at this time. They may have just deleted the database and hoped that their victim would pay the “ransom” demand without demanding to see proof that the attacker actually had a copy of the database.
There’s a lot to feel frustrated about as you read Troy’s detailed chronology and explanations. First, there were numerous unsuccessful attempts to get CloudPets or its parent company, Spiral Toys, to secure their exposed database. Second, personal information, including date of birth, was exposed for over 820,000 parents and/or their children.
Third, Troy raises the issue of whether the audio files and personal information might be circulating on trading platforms or the dark web. There’s some evidence that he provides to suggest that at least some of it may be.
In light of the possibility, CloudPets needs to notify all customers. The company is already in a relatively impoverished state compared to past performance, and the costs of this breach could be a death knell for them. But I’ll save my sympathy for the parents and children at this point because the company had no way to contact them that worked and/or that they responded to.
Read Troy’s article here. CloudPets is just the most recent connected toy to raise privacy concerns, of course. If you’re a parent, please assume that anything the toy can record will be up on a server somewhere, just waiting, perhaps, to be hacked and misused, and whatever that toy records will be linked to your account or customer information or profile.
Scary, isn’t it?
Update: The company has responded. Read this report by Michael Kan and then this thread on Twitter which contains a fuller statement from the toymaker while I try to pick my jaw back up from the floor.
—–BEGIN PGP MESSAGE—–
hQIMAzrnxAo1eKabARAAqr7SgjC2xpGF0pvkz7kkxUOqmZRI/c6XaneE3+Lu8i+w
sYYfy06tXdNZvIQnq9M8Uwc0dD863ozh3CwQ20+51mIfpLmVkMbS1bd5PJUQLeXj
SgbgYiAhjZzsZhzyQzQzMW8nnpIg6bVWRcd7C2GXc4UIcmf7ftpLd6pyUEw8UH5v
ngRB78iarXU/X+GuIHbrfPNawq9PlfRwwXicoj6Seol30eQ44+cvuZFCm8WcB9c2
6oToVUwbTL0P9FvHzisN2sPDH5l/ZmU91lW1xV5pZl1yRSYBTqr76lW/Q0jahRkN
4wUYlvFE+tkPHRMtwY5h9e5u4ROCG63mrgp4EricufQQ+6axjN0UM1OIscj2xuVN
QUBQO4I9EcRiWwAVFs3pQfndrIVXBloduZWMu0tJXq6QWkdaD/KEDmUVTDxXbjmT
SzntuqrD8zPl+YAS5VYcywsrON65vbNWO7d/9loYm72UWL27zDao5CMVTCNU77aP
OX++wJnK+lv3nps8ErH0V0iB1fLN0yHyX1vrMgNRhatWh1/EAU4GKaQx8UmHU1kG
mibHWLqKG1JVa+OjMXndt6eG7/j/+UOS8w4lTMgTsW1S6U2WENR4KGT42L+58+IV
mxNAxkX4rjXEUVTKcNnoLMMVnbT3QlAzp7lvDRJwa6R0ZNp/XzoGYPyxQTC0TPTS
VwGsv5ZKscmS8O11Mn8+tPaa2OLBafx/sZivAigr88vyqRhKgNcKy2LnPucEA2GA
l1AUWEvYJ2rA+6x5xINPEBnYz+KRP2/ofCZncaQercJL1GOxcl8mDA==
=F9RF
—–END PGP MESSAGE—–
Try email to [email protected] or [email protected].
Scary.