2017 CloudPets data breach

Last updated

CloudPets were a line of Internet-connected soft toys manufactured by now defunct Spiral Toys that was the subject of numerous security vulnerabilities in February 2017. [1] [2] The plush teddy bear-style toys used Bluetooth to connect to a parent's smartphone to allow distant family members to send voice messages to the toy, and allow children to send voice messages back. [3]

Security researchers demonstrated that the toy itself was insecure and could be trivially accessed via Bluetooth. The personal records of over 820,000 owners of the toy [4] were stored in an insecure MongoDB database. Attackers also replaced the database with a ransom demand pointing to a Bitcoin address. [5] Data retrieved from the CloudPets database was sent to the Australian security researcher Troy Hunt who included it in Have I Been Pwned?, a database of users whose data has been compromised. The database of user records also contained links pointing to over 2.2 million audio files hosted on Amazon Web Services containing the voice messages sent to and from the toys. [4] [6] Hunt stated that the database hack was "ridiculously easy". [7]

Following disclosure of security vulnerabilities, CloudPets started enforcing stronger password requirements on users of the service—they had previously not enforced any password complexity requirements and their documentation had suggested short, weak passwords. [3] Numerous journalists and security researchers including Hunt noted that the company was non-responsive to disclosures from security researchers and enquiries from journalists. [4]

See also

Related Research Articles

<span class="mw-page-title-main">Password</span> Text used for user authentication to prove identity

A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time in an authentication protocol. It is a default mode of authentication in some protocols and optional in others (TLS).

LastPass is a password manager application. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones. It also includes support for bookmarklets.

The 2011 PlayStation Network outage was the result of an "external intrusion" on Sony's PlayStation Network and Qriocity services, in which personal details from approximately 77 million accounts were compromised and prevented users of PlayStation 3 and PlayStation Portable consoles from accessing the service. The attack occurred between April 17 and April 19, 2011, forcing Sony to deactivate the PlayStation Network servers on April 20. The outage lasted 23 days.

The 2012 LinkedIn hack refers to the computer hacking of LinkedIn on June 5, 2012. Passwords for nearly 6.5 million user accounts were stolen. Yevgeniy Nikulin was convicted of the crime and sentenced to 88 months in prison.

In July 2012, Yahoo Voice, a user-generated content platform owned by Yahoo, suffered a major data breach. On July 11, 2012, a hacking group calling itself "D33DS Company" posted a file online containing approximately 450,000 login credentials and passwords from Yahoo Voice users. The data was obtained through a SQL injection attack that exploited vulnerabilities in Yahoo's database servers.

In July 2015, an unknown person or group calling itself "The Impact Team" announced they had stolen the user data of Ashley Madison, a commercial website billed as enabling extramarital affairs. The hacker(s) copied personal information about the site's user base and threatened to release users' names and personal identifying information if Ashley Madison would not immediately shut down. As evidence of the seriousness of the threat, the personal information of more than 2,500 users was initially released. The company initially denied that its records were insecure, but it continued to operate.

My Friend Cayla was a line of 18-inch (46 cm) dolls which used speech recognition technology in conjunction with an Android or iOS mobile app to recognize a child's speech and perform conversations with users. The doll used the internet to search what the user said, and then responded with data that it found online. My Friend Cayla was created by Bob Delprincipe, inventor of Cindy Smart and Tekno the Robotic Puppy. The doll is banned in Germany, since the German government considers it to be a surveillance device.

<span class="mw-page-title-main">Have I Been Pwned?</span> Consumer security website and email alert system

Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.

<span class="mw-page-title-main">Troy Hunt</span> Australian web security expert

Troy Adam Hunt is an Australian web security consultant known for public education and outreach on security topics. He created and operates Have I Been Pwned?, a data breach search website that allows users to see if their personal information has been compromised. He has also authored several popular security-related courses on Pluralsight, and regularly presents keynotes and workshops on security topics. He created ASafaWeb, a tool that formerly performed automated security analysis on ASP.NET websites.

Cloudbleed was a Cloudflare buffer overflow disclosed by Project Zero on February 17, 2017. Cloudflare's code disclosed the contents of memory that contained the private information of other customers, such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. As a result, data from Cloudflare customers was leaked to all other Cloudflare customers that had access to server memory. This occurred, according to numbers provided by Cloudflare at the time, more than 18,000,000 times before the problem was corrected. Some of the leaked data was cached by search engines.

Connected toys are internet-enabled devices with Wi-Fi, Bluetooth, or other capabilities built in. These toys, which may or may not be smart toys, provide a more personalized play experience for children through embedded software that can offer app integration, speech and/or image recognition, RFID functionality, and web searching functions. A connected toy usually collects information about the users either voluntarily or involuntarily, which raises concerns on the topic of privacy. The data collected by the connected toys are usually stored in a database, where companies that produce connected toys can use the data for their own purposes, provided they do so in line with the protections outlined in the Children's Online Privacy Protection Act (COPPA).

The American cloud storage and file synchronization company Dropbox Inc. had several security and privacy controversies. Issues include a June 2011 authentication problem that let accounts be accessed for several hours without passwords; a July 2011 privacy policy update with language suggesting Dropbox had ownership of users' data; concerns about Dropbox employee access to users' information; July 2012 email spam with reoccurrence in February 2013; leaked government documents in June 2013 with information that Dropbox was being considered for inclusion in the National Security Agency's PRISM surveillance program; a July 2014 comment from NSA whistleblower Edward Snowden criticizing Dropbox's encryption; the leak of 68 million account passwords on the Internet in August 2016; and a January 2017 accidental data restoration incident where years-old supposedly deleted files reappeared in users' accounts.

NordVPN is a Lithuanian VPN service with applications for Microsoft Windows, macOS, Linux, Android, iOS, Android TV, and tvOS. Manual setup is available for wireless routers, NAS devices, and other platforms.

Collection #1 is the name of a set of email addresses and passwords that appeared on the dark web around January 2019. The database contains over 773 million unique email addresses and 21 million unique passwords, resulting in more than 2.7 billion email/password pairs. The list, reviewed by computer security experts, contains exposed addresses and passwords from over 2000 previous data breaches as well as an estimated 140 million new email addresses and 10 million new passwords from previously unknown sources, and collectively makes it the largest data breach on the Internet.

Data breach incidences in India were the second highest globally in 2018, according to a report by digital security firm Gemalto. With over 690 million internet subscribers and growing, India has increasingly seen a rise in data breaches both in the private and public sector. This is a list of some of the biggest data breaches in the country.

ShinyHunters is a black-hat criminal hacker group that is believed to have formed in 2020 and is said to have been involved in numerous data breaches. The stolen information is often sold on the dark web.

References

  1. Mathews, Lee. "The Latest Privacy Nightmare For Parents: Data Leaks From Smart Toys". Forbes. Retrieved 2017-08-06.
  2. Kan, Michael. "Smart teddy bears involved in a contentious data breach". Network World. Archived from the original on March 1, 2017. Retrieved 2017-08-06.
  3. 1 2 Hern, Alex (2017-02-28). "CloudPets stuffed toys leak details of half a million users". The Guardian. ISSN   0261-3077 . Retrieved 2017-08-06.
  4. 1 2 3 Larson, Selena (2017-02-27). "Stuffed toys leak millions of voice recordings from kids and parents". CNNMoney. Retrieved 2017-08-06.
  5. "Children's messages in CloudPets data breach". BBC News. 2017-02-28. Retrieved 2017-08-06.
  6. "CloudPets' data breach underlines need for secure cloud apps". ComputerWeekly. Retrieved 2017-08-06.
  7. Cooper, Luke (2017-02-28). "Millions Of Private Messages Between Parents And Kids Hacked In Cloud Pets Security Breach". Huffington Post. Retrieved 2017-08-06.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.