821,000 user records exposed due to misconfigured MongoDB for smart stuffed toys

No one wants to learn that they have been hacked; if a company is not doing so well, then it might really be scared after it is breached. But burying your head in sand and hoping it will all go away if you ignore it for long enough is simply not going to make the breach disappear. In the case of CloudPets, owned by SpiralToys, it wasn’t the cute and huggable smart stuffed toys hackers were hugging, but the data.

Here it is: – Toy captured kids voices – Data exposed via MongoDB – 2.2m recordings – DB ransom’d – And much more…https://t.co/HvePnZleXR

— Troy Hunt (@troyhunt) February 27, 2017

Kids with the toys can send and receive voice messages from people such as parents and grandparents. CloudPets are relatively inexpensive connected toys and popular enough for a MongoDB to contain 821,000 user records and reference about 2.2 million voice recordings of kids and parents. Unfortunately, the database was not even protected with a password and had been indexed by Shodan, meaning people found the exposed database.

While it’s unknown how many hackers gobbled the data, security researcher Troy Hunt said hackers deleted the database and tried to ransom the data at least three times. The database was wiped and replaced with ransom demands via “PWNED_SECURE_YOUR_STUFF_SILLY,” “README_MISSING_DATABASES” and “PLEASE_READ.” As you may recall, early on in January there was a huge spike in MongoDB installs being erased and replaced with ransom demands.

Hunt said CloudPets’ MongoDB was unprotected with a password from at least Christmas 2016; it was finally no longer publicly accessible on January 13.

Security researcher Victor Gevers, aka @0xDUDE and co-founder of the GDI Foundation, tried to contact the company back in December and also filed a customer support ticket with Zendesk. Other security researchers also attempted to reach out, yet the company was difficult to contact and did not respond to people trying to alert it to the exposed database. The toy maker finally responded yesterday and even claimed it had not received any of the warnings about its exposed database.

Hunt was “stunned” after CloudPets CEO Mark Myers told IDG’s Michael Kan, “Were voice recordings stolen? Absolutely not.”

The voice recordings and profile pictures were stored in Amazon S3, Hunt said, but referenced in the MongoDB. Hunt then gave an example of a voice recording that could be accessed, saying, “If you know the reference to the S3 file, you can download it without authorization.”

The passwords stored in the unprotected database were hashed with bcrypt, however Hunt pointed out, “Due to there being absolutely no password strength requirements whatsoever, anyone with the data could crack a large number of passwords, log on to accounts and pull down the voice recordings.”

Regarding the lack of password strength requirements, Myers suggested there needed to be a “balance.” He asked, “How much is too much?”

Hunt didn’t seem to appreciate that response either because he wrote, “Allowing a password of ‘a’ is too little. Creating a tutorial showing a password of ‘qwe’ is too little. Usually, 6-8 characters of mixed types is a bare minimum and the decision to have absolutely no password strength requirements whatsoever means many passwords can be readily cracked, thus granting access to the voice recordings for the account.”

Myers disputed the veracity of headlines claiming 2 million CloudPets’ messages were leaked online. In fact, after learning of the breach, the company decided “it was a very minimal issue.”

Hunt took issue with that blundering statement as well, writing, “To suggest that the exposure and ransom of a database containing 821k user records and providing access to millions of voice recordings from and to children represents ‘a very minimal issue’ is just unfathomable.”

Spiral Toys, which is based in California, has not yet filed any data breach notifications even though it is required to do so according to data breach reporting laws in the state. As Data Breach Today pointed out, “As of January 1, the state requires public notification for breaches affecting 500 or more residents even when encrypted data gets leaked if security credentials or encryption keys that could unlock the data were also exposed.”

CloudPets is just the latest case highlighting the privacy implications of giving kids internet-connected toys. This may spell the end for the company, but there are plenty of others in a rush to enter the IoT marketplace without giving a thought to security during design. And even if security is considered, it can all be undone by a simple misconfiguration of a database committed by a third-party server management vendor.