Exposed Database For CloudPet Toys Included Information And Voice Recordings
Unless you have kids, you may not have even known about CloudPets, or the MongoDB, much less the recent hack or the shocking lack of security.
Firstly, yes. Smartpets are a “thing.” They are a new type of stuffed toy for small children connected to the internet. Parents and grandparents can record messages for their kids and upload them, and the children can play them back via their stuffed toy.
Unfortunately, the security surrounding the database wasn’t just bad, it was completely nonexistent. It wasn’t password protected at all, which allowed an unknown number of hackers to download it in its entirety. This amounted to more than 821,000 voice recordings, and the personal account info of all the users being stolen.
Worse, on at least three separate occasions, the database was deleted, and a ransom note text file left in its place, so it’s not as though the company didn’t know that something was amiss. Their response to the repeated hacks and deletions?
In fact, the CEO of Spinal Toys, who makes CloudPets, complained that more was being made of the issue than was necessary, and downplayed its significance. No corrective actions were taken, and the unprotected database was vulnerable from at least December 2016 to January 2017 when it was finally taken offline with no comment.
This is a textbook case of how not to handle a breach, and the company faces an uncertain future.
A breach, regardless of its size and severity, is a very big deal, and should be treated as such. Not only does it put your own propriety data at risk, but it can also lead to identity theft of your customers, to say nothing of the loss of trust which can take years to earn back.
This incident should be studied by every small or medium-sized business owner and should serve as a warning about the importance of digital security and its proper handling.