Blog: Consumer Advice

CloudPets data breach

Ken Munro 28 Feb 2017

If you’ve bought a child one of these you need to read and follow our advice ASAP.

Last night the security blogger Troy Hunt exposed a huge security and data breach directly relating to CloudPets toys. The full post is here:
https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/.

The key points are that they suffered data breaches, didn’t tell anyone, were held ransom, ignored help offered by researchers, allowed children’s voice data to be compromised, and generally were pretty bad at doing the right thing all along.

While you might not think that losing recordings of children’s voices is an issue, consider the loss of password data. In a world where many people use the same password and email address for multiple accounts it IS an issue.

What to do:

  1. Turn the toy off, take out the batteries, throw it in the bin
  2. Using a browser or the app, login to your CloudPets account and attempt to delete it. There is a chance that this may remove any of your kids audio from their server
  3. Uninstall the mobile app
  4. Try and remember your CloudPets account password
  5. If you’ve used it anywhere else then change your passwords, and start using a password manager. There’s full advice on that here:
    https://www.pentestpartners.com/blog/password-re-use-the-game-is-changing-so-use-a-password-vault/
  6. Stop buying IoT junk