Insecure CloudPets Database Exposed Credentials, Private Data

A public-facing, insecure CloudPets MongoDB database was found to have leaked the login credentials of over 800,000 users, researchers warn.

CloudPets is a company that sells internet-connected teddy bears, allowing children and parents to exchange audio messages over the web. The company also claims that its toys provide children with access to “an ever-expanding collection of fun and games.”

The underlying issue was related to the MongoDB ransack campaign that made headlines early this year, and which recently moved to MySQL databases. Customer data was stored in a MongoDB database that wasn’t properly secured, and, because it was exposed to the Internet, it allowed anyone to access it, steal its content, and even modify it.  

The exposed data was discovered in December last year, and Victor Gevers, co-founder of GDI Foundation, was among the first to try to contact Spiral Toys, the company behind CloudPets, to inform it on the matter. Apparently, other researchers attempted the same, and even journalists did, after being alerted that the company isn’t responding, but to no avail.

According to Troy Hunt, security researcher and maintainer of the Have I Been Pawned portal, two CloudPets databases were found exposed to the Internet, each nearly 10GB in size: cloudpets-staging and cloudpets-test. The former was found to include more than 820,000 customer records, including emails and associated passwords, stored as a bcrypt hash.

In addition to these user credentials, the leak supposedly impacts nearly 2.2 million customer voice messages. Although not stored in the databases, these voice messages could be accessed by anyone who could guess the URL of the files, because they were stored an Amazon S3 bucket that doesn’t require authentication, researchers say.

Some of the passwords, Hunt discovered, were very weak, meaning that they could be guessed. The issue, the researcher says, is that CloudPets has no rules on password strength, meaning that users could secure their accounts with nearly any word they wanted to, including the now famous “123456,” “password,” and “abc123.” Another frequent occurrence appears to be “cloudpets.”

This means that anyone who has the database can crack a large number of password and attempt to access user accounts. Once there, one can download the voice recordings that are stored in the cloud, Hunt explains.

Because the exposed database remained open for a long period of time, multiple parties might have identified it and could be in the possession of the data. Information received from Niall Merrigan reveals that the data was first exposed on December 25, 2016, Hunt says.

Just as it happened with all other MongoDBs that got hit in the ransack attacks, CloudPets’ database was eventually overwritten by attackers demanding a Bitcoin ransom in exchange for the data. As the attacks escalated, however, the data ended up overwritten several times before the company could secure access to it.

The original database fell to the MongoDB ransack attacks on January 7, when it was deleted and replaced with a ransom note. It was overwritten twice on January 8, and access to it was cut on January 13, supposedly when the company managed to finally secure it.

According to Hunt, the initial attempts to contact Spiral Toys took place in December 2016. In early January 2017, the security researcher who found the issue attempted to alert Linode, CloudPets’ hosting provider.

The fact that the company did change the security settings of the MongoDBs means that it was aware that they weren’t properly secured in the first place, that they were exposed to the Internet, and that third-parties had access to them, given that ransom notes were there instead of the data, Hunt notes.

However, the company never alerted impacted users on the matter, although it is based in California, a state that has mandatory data breach reporting laws. As of January, companies in California have to warn users even when their encrypted personal information was accessed or is believed to have been accessed by an unauthorized person.

Mark Myers, CEO of the company, says that the breach was “a very minimal issue.” He claims that access to the accounts was possible only if an attacker could guess the passwords and that no voice recordings were stolen. Further, he claims that he never received warnings from security researchers and that the company became aware of the incident only last week, after a reporter contacted him on the matter.

According to Myers, the company didn’t find evidence that hackers broke into user accounts, but that they were considering a password reset for all users, and maybe requiring more complex passwords.

In an emailed comment, Bill Diotte, CEO of mission critical IoT security provider Mocana, told SecurityWeek that this incident “is a menacing violation of consumer privacy” that the even more aggravating is the fact that children are involved.

“What this situation really demonstrates is how dogmatic, infosec-centric approaches to IoT security will always result in failure. If this type of data can be accessed as easily as these simple voice recordings were, we could experience catastrophic incidents that destroy property and even lead to human casualties,” he said.

“Technology companies have an unhealthy fetish to collect as much data as possible. Whilst there are business benefits to knowing your customers – there needs to be a measure of appropriateness applied and the data that is collected needs to be properly secured,” Javvad Malik, security advocate at AlienVault and former 451 senior analyst at 451’s Enterprise Security Practice, told SecurityWeek in an email.

The news of this data breach comes only a couple of weeks after Germany banned the internet-connected doll called “My Friend Cayla,” saying that it is a de facto “spying device.” The doll could send a child’s audio question wirelessly to an app on a digital device for translation. The app would also search the internet for an answer and then send the response back to the doll.

In 2015, a data breach suffered by Chinese educational toymaker VTech, was found to have impacted roughly 4.8 million parent accounts and 6.3 million kid profiles. Most of the affected individuals were from the United States (2.2 million parent and 2.9 million child profiles).