Just a few days after Christmas last year, a toy company that sells internet-connected stuffed animals left more than 800,000 customers' emails and passwords, as well as data that could help hackers retrieve more than two million voice messages exchanged between children and their parents, totally exposed online.
Then at least two hackers found the data, erased it, and attempted to extort the company, according to security researchers who saw the ransom messages. Others, however, stole the data, which has since been actively circulating in the internet underground.
Now, two months later, Spiral Toys, makers of the Internet of Things stuffed animal line CloudPets, is finally alerting the victims of the breach. In a message sent to some customers, the company warns that "unauthorized third parties" accessed a CloudPets server, and asks customers to change passwords.
The CloudPets breach is just the latest incident involving internet-connected toys and other devices. In late 2015, Hong Kong-based VTech lost the personal data of 6.3 million children and 4.8 million parents. That breach even included selfies the children and parents took and their private chats.
Until this week, if you had a CloudPets teddy bear, unicorn, or another stuffed animal and used the app to communicate to it, you could create passwords as short as "qwe." That means the leaked passwords, even though they were hashed with a strong algorithm, were easy to crack, as security researcher Troy Hunt found analyzing the data. Spiral Toys, however, has been downplaying the risk of this happening, stating in an FAQ that "even if hackers obtained the database, they wouldn't be able to read or use user-passwords except for in exceptional circumstances."
That's one of the reasons why Hunt is convinced that it was possible for hackers to break into customers accounts and then access the voice recordings, which were stored in unprotected Amazon S3 buckets.
Read more: How This Internet of Things Stuffed Animal Can Be Remotely Turned Into a Spy Device
It's unclear if the company has alerted all customers already. Spiral Toys did not immediately respond to an email requesting comment for this story. Another victim, Jason Pagel, told Motherboard on Thursday morning that he had yet to receive a notification.
The way Spiral Toys is handling the aftermath of the breach appears to be the latest in a long string of mishaps.
The company claims that it didn't find out about the breach until Motherboard contacted it in late February. But security researcher Victor Gevers reached out to it with a detailed message alerting them of its exposed database on December 31, 2016, according to the screenshot of the email sent via Spiral Toy's customer support portal. Moreover, in an interview with PCWorld, Spiral Toys CEO argued that he didn't answer Motherboard's request for contact because "you don't respond to some random person about a data breach."
In response to the company's confusing claims, Hunt posted a detailed rundown debunking them.
"One of many things that stuns me is that not once have they said 'sorry,'" Hunt tweeted on Wednesday, in response to Spiral Toys customer alerts.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.