DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Spiral Toys sends something to the California Attorney General, but what is it?

Posted on February 28, 2017 by Dissent

This just gets stranger and stranger in terms of how Spiral Toys is responding to the CloudPets leak and hack reported by Troy Hunt. The following is a Spiral Toy notification, sent to the California Attorney General’s Office today, below. All typos are as in the original. Why they sent this thing to the California Attorney General’s Office is unclear, as if I was a customer, I’d find it an incoherent mess that does not clearly explain what happened and what data was exposed and/or actually acquired. 

Re: CloudPets Data Breech:

Spiral Toys was told about a potential breach on February 22, after receiving an inquiry from Canadian Vice Media journalist Lorenzo Franceschi- Bicchierai, who says he was contacted by the alleged hacker. “After receiving [Franceschi-Bicchierai’s] email, we carried out an internal investigation and detected an issue with a migration server MongoDB,” Spiral Toys says. “We immediately conducted a comprehensive check of the development site and confirmed that the data breach was fixed on January 9th as the server was being developed. After conducting research the data breach was part of a massive cyber attack on MongoDB that affected over 28,000 instances globally.”

When we were informed of the potential security breach on our MongoDB server, we took extra precautions and also researched if the message and image date were exposed. At that time the data was on a different server and could not have been affected by the security breach.

From our best efforts we can not detect any breach on our message and image data.
The statement that 2M+ messages were leaked is misleading readers into believing that all messages and images on our servers were obtained by hackers. In the leaked data all passwords were encrypted. The messages and images of a customer account could not be accessed unless a hacker “guessed” the password.

The hacker could have stolen the email addresses and could start running tests to find simple passwords such as “1234” or “password”. In the CloudPets terms of use we do recommend customers to use complex passwords and do not use a password you use elsewhere.

Since there is a potential that hackers could try to guess passwords to acquire customers information we have invalidated all current passwords. For the protection of our users we are now requiring users to choose new increased security passwords.

The CloudPet services have been running safely since March 2015 and we are taking all steps necessary to continue to run safely on our production servers. It is very unfortunate that during a standard development we were exposed to a cyber attack.

We are committed to protecting our customer information and their privacy in order to ensure against any such incidents in the future. We’re going to post on our website any updates regarding the story.

In response to some of the statements made in the press, please find below our disclaimers:

  • Spiral Toys was not contacted by any cyber security professionals nor a hacker holding the data for ransom.
  • The CloutPets production server and app were at no time affected by this incident.
  • The breach has been addressed and from our best knowledge no images or messages were leaked onto the internet. A hacker could get to that data if they started “guessing” simple passwords.
  • CloudPets is not a WiFi based toy connected to the internet but it does connect to an APP through bluetooth low energy. The APP does have parental controls to screen messages.
  • We will be contacting all of our customers with emails, around 500,000 users, and inform them of the breach. We will also require them to reset the password and for them to be more complex as a precaution.
  • Once we have addressed our customer needs and document the incident we will file the cyber crime with the State Attorney General in California.
  • We also believe a review of the title and certain statements in the article written by journalist Lorenzo Franceschi-Bicchierai should be made, given that they are not accurate and are damaging to a company.

Regards,

Spiral Toys

Update:  CloudPets also posted this “FAQ” on their site. Troy Hunt responded to their notification to the California AG’s office here.

It’s important to remind people that we don’t know how many researchers or others may have downloaded the database while it was exposed and we don’t know whether or how many people may have followed the links and downloaded actual audio or image files. But given that Spiral Toys/CloudPets has made some assertions that are easily refuted by proof (e.g., that they weren’t notified by any researcher, when Victor Gevers has provided proof he notified them in December), then their other claims need to be evaluated with a skeptical eye.

Category: Business SectorExposureHack

Post navigation

← Newnan Woman Sentenced for Student Financial Aid Fraud; Used Patients’ Info
Website of Korea retail giant Lotte hacked in China →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • School Districts Unaware BoardDocs Software Published Their Private Files
  • A guilty plea in the PowerSchool case still leaves unanswered questions
  • Brussels Parliament hit by cyber-attack
  • Sweden under cyberattack: Prime minister sounds the alarm
  • Former CIA Analyst Sentenced to Over Three Years in Prison for Unlawfully Transmitting Top Secret National Defense Information
  • FIN6 cybercriminals pose as job seekers on LinkedIn to hack recruiters
  • Dutch police identify users on Cracked.io
  • Help, please: Seeking copies of the PowerSchool ransom email(s)
  • RCMP thumb drive with informant, witness data obtained by criminals: watchdog
  • Evoke Wellness to Pay $1.9 Million to Settle FTC Claims That They Misled Consumers Seeking Substance Use Disorder Treatment

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Rules Proposed Under New Jersey Data Privacy Act
  • Using facial recognition? Three recent articles of interest.
  • India publishes consent management rules under Digital Personal Data Protection Act
  • Republicans Move A Step Closer To Repealing Protections For Abortion Clinics
  • Democrats introduce bill that aims to protect reproductive health data
  • Don’t Mind If I Do: Montana Says Hands Off Neural Data
  • 23andMe leadership grilled by lawmakers demanding answers about data security amid bankruptcy sale

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.
Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report