No one wants to learn that they have been hacked; if a company is not doing so well, then it might really be scared after it is breached. But burying your head in sand and hoping it will all go away if you ignore it for long enough is simply not going to make the breach disappear. In the case of CloudPets, owned by SpiralToys, it wasn\u2019t the cute and huggable smart stuffed toys hackers were hugging, but the data.Here it is:- Toy captured kids voices- Data exposed via MongoDB- 2.2m recordings- DB ransom'd- And much more...https:\/\/t.co\/HvePnZleXR\u2014 Troy Hunt (@troyhunt) February 27, 2017Kids with the toys can send and receive voice messages from people such as parents and grandparents. CloudPets are relatively inexpensive connected toys and popular enough for a MongoDB to contain 821,000 user records and reference about 2.2 million voice recordings of kids and parents. Unfortunately, the database was not even protected with a password and had been indexed by Shodan, meaning people found the exposed database.While it\u2019s unknown how many hackers gobbled the data, security researcher Troy Hunt said hackers deleted the database and tried to ransom the data at least three times. The database was wiped and replaced with ransom demands via \u201cPWNED_SECURE_YOUR_STUFF_SILLY,\u201d \u201cREADME_MISSING_DATABASES\u201d and "PLEASE_READ.\u201d As you may recall, early on in January there was a huge spike in MongoDB installs being erased and replaced with ransom demands.Hunt said CloudPets\u2019 MongoDB was unprotected with a password from at least Christmas 2016; it was finally no longer publicly accessible on January 13.Security researcher Victor Gevers, aka @0xDUDE and co-founder of the GDI Foundation, tried to contact the company back in December and also filed a customer support ticket with Zendesk. Other security researchers also attempted to reach out, yet the company was difficult to contact and did not respond to people trying to alert it to the exposed database. The toy maker finally responded yesterday and even claimed it had not received any of the warnings about its exposed database.Hunt was \u201cstunned\u201d after CloudPets CEO Mark Myers told IDG's Michael Kan, \u201cWere voice recordings stolen? Absolutely not.\u201dThe voice recordings and profile pictures were stored in Amazon S3, Hunt said, but referenced in the MongoDB. Hunt then gave an example of a voice recording that could be accessed, saying, \u201cIf you know the reference to the S3 file, you can download it without authorization.\u201dThe passwords stored in the unprotected database were hashed with bcrypt, however Hunt pointed out, \u201cDue to there being absolutely no password strength requirements whatsoever, anyone with the data could crack a large number of passwords, log on to accounts and pull down the voice recordings.\u201dRegarding the lack of password strength requirements, Myers suggested there needed to be a \u201cbalance.\u201d He asked, \u201cHow much is too much?\u201dHunt didn\u2019t seem to appreciate that response either because he wrote, \u201cAllowing a password of \u2018a\u2019 is too little. Creating a tutorial showing a password of \u2018qwe\u2019 is too little. Usually, 6-8 characters of mixed types is a bare minimum and the decision to have absolutely no password strength requirements whatsoever means many passwords can be readily cracked, thus granting access to the voice recordings for the account.\u201dMyers disputed the veracity of headlines claiming 2 million CloudPets\u2019 messages were leaked online. In fact, after learning of the breach, the company decided \u201cit was a very minimal issue.\u201dHunt took issue with that blundering statement as well, writing, \u201cTo suggest that the exposure and ransom of a database containing 821k user records and providing access to millions of voice recordings from and to children represents \u2018a very minimal issue\u2019 is just unfathomable.\u201dSpiral Toys, which is based in California, has not yet filed any data breach notifications even though it is required to do so according to data breach reporting laws in the state. As Data Breach Today pointed out, \u201cAs of January 1, the state requires public notification for breaches affecting 500 or more residents even when encrypted data gets leaked if security credentials or encryption keys that could unlock the data were also exposed.\u201dCloudPets is just the latest case highlighting the privacy implications of giving kids internet-connected toys. This may spell the end for the company, but there are plenty of others in a rush to enter the IoT marketplace without giving a thought to security during design. And even if security is considered, it can all be undone by a simple misconfiguration of a database committed by a third-party server management vendor.