A line of stuffed animals, these connected toys combine with a mobile application that was vulnerable due to a number of weak APIs, which didn’t verify who sent messages. This meant that an attacker could guess usernames, or email addresses, and ask Fisher-Price for server return details about associated accounts and children’s profiles, which provides their name, birthdate, gender, language and toys they have played with.
Tip: If the IoT device connects to a mobile app or desktop computer, it is important to examine how it connects. If the start of the URL address is http rather than https, which is the secure version of HTTP, then your device is making a less secure connection.
Related: Flaws in smart toy back-end servers puts kids and their families at risk