CloudPets stuffed toys leak details of half a million users

[Becky]

Another day another data leak - this time, the stuffed toys 'CloudPets' have been targeted. Personal information has been exposed, which includes email addresses, passwords, profile pictures and voice recordings. So far CloudPets has denied that voice recordings have been stolen, and The Guardian has more on this:

CloudPets’s denial that voice recordings were “stolen” likely refers to the fact that the voice recordings were not contained in the exfiltrated database. It is possible to access the voice recordings without any authentication if you know the exact URL at which they are stored – something that can be gleaned by examining the app when a user is logged in. But the company had extremely lax password requirements (even officially recommending a password of “qwe” in a tutorial video), meaning that a large number of passwords could be “cracked” even given the secure method with which they were stored.

As such, it would be trivial for an attacker to access the voice recordings for users with simple passwords such as 123456 or cloudpets, but those with unique secure passwords could be covered in the case of a remote attack.

Read more here.

 

[muckshifter]

... them naughty people will be 'hacking' the grass under our feet soon.