This just gets stranger and stranger in terms of how Spiral Toys is responding to the CloudPets leak and hack reported by Troy Hunt. The following is a Spiral Toy notification, sent to the California Attorney General’s Office today, below. All typos are as in the original. Why they sent this thing to the California Attorney General’s Office is unclear, as if I was a customer, I’d find it an incoherent mess that does not clearly explain what happened and what data was exposed and/or actually acquired.
Re: CloudPets Data Breech:
Spiral Toys was told about a potential breach on February 22, after receiving an inquiry from Canadian Vice Media journalist Lorenzo Franceschi- Bicchierai, who says he was contacted by the alleged hacker. “After receiving [Franceschi-Bicchierai’s] email, we carried out an internal investigation and detected an issue with a migration server MongoDB,” Spiral Toys says. “We immediately conducted a comprehensive check of the development site and confirmed that the data breach was fixed on January 9th as the server was being developed. After conducting research the data breach was part of a massive cyber attack on MongoDB that affected over 28,000 instances globally.”
When we were informed of the potential security breach on our MongoDB server, we took extra precautions and also researched if the message and image date were exposed. At that time the data was on a different server and could not have been affected by the security breach.
From our best efforts we can not detect any breach on our message and image data.
The statement that 2M+ messages were leaked is misleading readers into believing that all messages and images on our servers were obtained by hackers. In the leaked data all passwords were encrypted. The messages and images of a customer account could not be accessed unless a hacker “guessed” the password.The hacker could have stolen the email addresses and could start running tests to find simple passwords such as “1234” or “password”. In the CloudPets terms of use we do recommend customers to use complex passwords and do not use a password you use elsewhere.
Since there is a potential that hackers could try to guess passwords to acquire customers information we have invalidated all current passwords. For the protection of our users we are now requiring users to choose new increased security passwords.
The CloudPet services have been running safely since March 2015 and we are taking all steps necessary to continue to run safely on our production servers. It is very unfortunate that during a standard development we were exposed to a cyber attack.
We are committed to protecting our customer information and their privacy in order to ensure against any such incidents in the future. We’re going to post on our website any updates regarding the story.
In response to some of the statements made in the press, please find below our disclaimers:
- Spiral Toys was not contacted by any cyber security professionals nor a hacker holding the data for ransom.
- The CloutPets production server and app were at no time affected by this incident.
- The breach has been addressed and from our best knowledge no images or messages were leaked onto the internet. A hacker could get to that data if they started “guessing” simple passwords.
- CloudPets is not a WiFi based toy connected to the internet but it does connect to an APP through bluetooth low energy. The APP does have parental controls to screen messages.
- We will be contacting all of our customers with emails, around 500,000 users, and inform them of the breach. We will also require them to reset the password and for them to be more complex as a precaution.
- Once we have addressed our customer needs and document the incident we will file the cyber crime with the State Attorney General in California.
- We also believe a review of the title and certain statements in the article written by journalist Lorenzo Franceschi-Bicchierai should be made, given that they are not accurate and are damaging to a company.
Regards,
Spiral Toys
Update: CloudPets also posted this “FAQ” on their site. Troy Hunt responded to their notification to the California AG’s office here.
It’s important to remind people that we don’t know how many researchers or others may have downloaded the database while it was exposed and we don’t know whether or how many people may have followed the links and downloaded actual audio or image files. But given that Spiral Toys/CloudPets has made some assertions that are easily refuted by proof (e.g., that they weren’t notified by any researcher, when Victor Gevers has provided proof he notified them in December), then their other claims need to be evaluated with a skeptical eye.
