Last year the interactive stuffed animals CloudPets came into a world of trouble. Hackers compromised its database and that is a big problem. So big, that major retailers are now pulling the toys from their stores. Amazon is among them, CNET reports.
Last week Walmart and Target also pulled the toys from their stores. One reason? Mozilla found new vulnerabilities on the CloudPets.
“In a world where data leaks are becoming more routine and products like CloudPets still sit on store shelves, I’m increasingly worried about my kids’ privacy and security,” Ashley Boyd, Mozilla’s vice president of advocacy, said in a statement.
This new information is the final straw for Amazon. So, the company decided to pull the entire toy line from its online store. No third party merchants on Amazon is allowed to offer CloudPets anymore, too.
Big problems, little action
Researchers found that CloudPets’ apps were last updated in May 2017 for iOS and January 2018 for Android. CloudPets are made by Spiral Toys. They are a talking toy that’s connected online, uses voice recordings and an online app through Bluetooth.
In 2017 hackers accessed the CloudPets database. It has email addresses, passwords and voice recordings from children. Cybercriminals held this information for ransom at least twice, CNET adds. The breach affected more than 800 000 people.
Mozilla and Cure53 conducted tests for vulnerabilities in March this year. They found that CloudPets did not meet security standards. Even worse, Spiral Toys did not respond to a request for comment.
“The company clearly does not care about their users’ security and privacy being violated and makes no effort to respond to well-meaning attack reports, further facilitating and inviting malicious actions against their users,” the researchers wrote in their report.
Since the manufacturer of CloudPets never got back to Mozilla, the company decided on another approach. It started informing merchants about the problem. The result is that major retailers are now stopping their sales of CloudPets until something is done for their cybersecurity.