Senator sends letter demanding answers about what happened & how in a data breach potentially affecting 800,000 people.

It was a fluffy toy with a terrible secret—a leaky database holding kids’ information, and security vulnerabilities that could let attackers control your child’s talking toy, researchers said.

Now, U.S. Senator Bill Nelson, D-Fla., is asking the company behind the CloudPets to explain what lead to a data breach exposing information for as many as 800,000 kids and parents.

“He hopes it spur the company to better secure its data so parents won’t have to worry whether their child’s personal information and photos are at risk from hackers,” said Bryan Gulley, communications director of the  U.S. Senate Commerce Committee, Democratic Office, in an e-mail to Archer News.

Spiral Toys must answer the questions by March 23, Sen. Nelson’s letter to the company said, providing information on what its security measures are and whether anything like it has happened before. 

So far, Spiral Toys has responded to Archer News’ contacts with silence.

“CloudPets is such a horrific case in so many ways,” said Troy Hunt, the researcher who exposed the breach. “Everything that could have gone wrong pretty much did.”

Senator Bill Nelson, D-Fla., sent a letter to Spiral Toys asking for information about the CloudPets data breach.

Breach

The furry CloudPet toys allowed parent and kids to record messages for each other and play them from afar.

The company encouraged military families to use them to keep parents in touch with their children when stationed overseas.

But CloudPets used an unsecured database through a company called MongdoDB that allowed attackers to not only steal kids’ CloudPets data, but also hold it for ransom, according to Hunt. 

He said the company also allowed attackers to track down as many as two million kids’ voice recordings made for their parents and family.

“That Mongo database has all of the references to the exact paths of the voice messages,” Hunt told Archer News. “So, if you have the database, you know where to get the voice message from. And there’s no authorization.”

That means, as of last check, the voice recordings are still vulnerable, Hunt said.

“They haven’t closed that hole,” he said.

CloudPets encouraged military families to use the connected toys & offered a discount for active duty military. Image from CloudPets Facebook page.

Company statement

Spiral Toys told CloudPets customers in a statement to change their passwords immediately.

It also said that it was notified about the data breach on February 22, and did not receive any ransom demands.

Researchers said, however, that they contacted Spiral Toys before February 22, and that the database was indeed ransomed.

Spiral Toys said the voice recordings are protected.

“Recordings are accessed by logging in to the CloudPets app with a legitimate username and password,” the company said in its statement. “Because the passwords in the affected database were encrypted, they could not be used to access a user account in most circumstances.”

But Hunt said the voice recordings are not protected enough and are still vulnerable.

“They’re at the point where they just need to turn it off,” he said.

CloudPets told customers it was notified about the data breach on February 22. But researchers said they contacted CloudPets long before that.

No response

Spiral Toys has not responded to Archer News’ requests for comment about the letter.

A public relations professional who sent out statements on behalf of Spiral Toys last week said he was just helping out, and that we needed to contact Spiral Toys through its website or through its contact e-mail.

But messages sent to the Spiral Toys contact e-mail bounced back. 

And messages sent through the Spiral Toys contact form, the CloudPets webpage, the CloudPets Facebook page and the Spiral Toys’ attorney were not returned.

Messages sent through the Spiral Toys webpage did not get a response.

“Held to account”

The letter may help prevent problems like this in the future, said Hunt.

“It’s evidence that if you don’t do the right thing, you might get asked pointed questions,” he explained. “From a consumer sort of perspective, I think that’s a really good thing.”

Hunt said he is “always a little bit cautious” when politicians get involved, but supports the idea of making Spiral Toys respond to—and deal with—the breach.

“The data that was exposed, the ransoms, the obviously total inability of them to even get the basic facts right,” he said. “I guess what I’d really like to see is them publicly held to account.”

Featured image: CloudPets advertisement from CloudPets webpage.