MANILA, Philippines – Spiral Toys, the maker of an internet-connected line of stuffed animals called CloudPets, sprung a massive leak of customer data, including more than two million voice messages from kids and their parents.

Aside from the voice messages, the email addresses and password information of more than 800,000 users were also made available because of the leak.

According to a blog post by online security researcher Troy Hunt, the data was left unsecured in a publicly accessible MongoDB Database. The voice record database was stored by Romanian company mReady, which had a contract with Spiral Toys.

Based on evidence collected so far, the security leak was reported at least 4 times prior to being made public. The data was also accessed by different parties a number of times, among them criminals who held the data for ransom.

Hunt explained that based on the information available, “It’s impossible to believe that CloudPets (or mReady) did not know that firstly, the databases had been left publicly exposed and secondly, that malicious parties had accessed them.”

While the passwords exposed in the leak were hashed with the difficult-to-crack bcrypt algorithm, CloudPets did not require a strong password, so users who only had single-character passwords or other easy-to-crack codes were still severely at risk. 

Hunt also said that based on an examination of the CloudPets app and its infrastructure, “The services sitting on top of the exposed database are able to point to the precise location of the profile pictures and voice recordings of children.”

Motherboard, meanwhile, said Victor Gevers, the chairman of the non-profit GDI Foundation which discloses security issues to affected victims, “saw the database while it was exposed online at the end of last year, and said it contained data on 821,396 registered users, 371,970 friend records (profile and email) and 2,182,337 voice messages.”

Speaking with NetworkWorld, Spiral Toys’ CEO Mark Myers denied the assertions. “Were voice recordings stolen? Absolutely not.”

Myers added, “The headlines that say 2 million messages were leaked on the internet are completely false,” calling the security breach “a very minimal issue” after their own examination. – Rappler.com