Another week, another data breach: this time it involves children however, and it's a nasty one.

Over two million voice messages between parents and children recorded by CloudPets, cute stuffed toy animals, have been leaked online. A database with 800,000 voice messages was left unsecured, and hackers now have that data.

Adding insult to injury, the wide open database was hacked, the information it stored deleted and a ransom note posted, asking for NZ$1,665 in Bitcoin to restore the data.

News of the CloudPets gaffe again came via Troy Hunt, the Australian data breach smeller pursuivant.


Hunt was contacted by people who had spotted the CloudPets data floating around on the internet after attempts at warning the Californian toy maker in question, Spiral Toys, about the information leak were ignored.

There is a good technical deep-dive on Hunt's site that explains what Spiral Toys did wrong and which led to the data breach.

It's a sad read. The long and short of it is that Spiral Toys was massively incompetent and in being that, violated lots of children's privacy - and their parents' too. People's personal data was left online with no or totally inadequate safeguards, which is completely unacceptable, especially when children are involved.

Spiral Toys continues to deny that the data was leaked and that they're at fault, which adds to the concern. The decent thing would be to own up to what's happened, and notify parents who are affected by the data leak.

Once you hand over your data, you've pretty much lost control over it too. Apart from safeguarding it, the big problem with providing sensitive data to any third-party is that you have no guarantees that it will be deleted if you so wish.

There's only one thing a parent can do here, and that's to stay away from internet-connected toys. They're not safe, and should not be near your children.

In the case of CloudPets, it gets worse though: the wireless communications tech built into the teddies isn't secured at all.

This means the cute teddies can be turned into spying devices. Not only that, but a bad person could record nasty voice messages on the toys.


The CloudPets data leak should be a call to action for government watchdogs to investigate "smart toys" because they are a danger to kids thanks to incompetent and irresponsible manufacturers.

Why you should avoid connected toys for your children

• December 1, 2015: Toy maker Vtech exposes sensitive information for five million parents and children, including selfies and private messages.

• December 7, 2015: "Hello Barbie" doll could eavesdrop on your kids.

• February 18, 2017: Germany bans the wireless Cayla doll with hidden cameras and microphones, for fear it could be used to spy on kids.