Toy maker's sensitive database exposed, held to ransom

An insecure MongoDB database containing millions of voice recordings of children and parents, as well as parents' email addresses and passwords, was exposed on the web and captured by attackers for ransom.

Toy maker Spiral Toys' internet-connected CloudPets products allow parents and children to record and send voice messages to each other via a mobile app.

But the toy maker was holding this sensitive data in an unsecured MongoDB database that was publicly exposed online, security researcher Troy Hunt revealed today.

The database also contained email addresses and passwords of parents who had purchased the toy, alongside childrens' profile pictures, names, day and month of birth, and their relationship to people - like parents and friends - who had been authorised to share messages with them.

The database contained over two million voice recordings from 821,000 registered users.

While the voice recordings themselves weren't directly stored in the database, Hunt said they were located in an Amazon S3 bucket that had no authentication - "all that's required to access the file is the path which is returned by the app every time [a] profile is loaded," he wrote.

It also appears that Spiral Toys left two databases - staging and test - containing production data facing the public web.

While Spiral Toys stored its passwords as a bcrypt hash, the company did not implement any password strength rules - meaning "you can literally have a password of 'a'," Hunt said.

"Due to there being absolutely no password strength requirements whatsoever, anyone with the data could crack a large number of passwords, log on to accounts and pull down the voice recordings," he wrote.

Attackers discovered the open database on January 7, nuked the information and demanded a ransom in return for restoration of the data. Ransom demands were made by multiple separate attackers, Hunt said.

The databases were taken offline on January 13. Searches indicate they had been exposed since December 25.

Hunt, who was alerted to the breach by an anonymous source, said the toy maker never responded to multiple attempts by several sources to inform it of the problem.

"It's impossible to believe that CloudPets [or Russian app design partner mReady] did not know that firstly, the databases had been left publicly exposed and secondly, that malicious parties had accessed them," Hunt wrote.

"Obviously, they've changed the security profile of the system and you simply could not have overlooked the fact that a ransom had been left.

"Unauthorised access must have been detected but impacted parents were never notified."

He said the length of time the database remained open, and that fact that it had been spotted by multiple parties, meant the data had likely been exfiltrated by many others.

MongoDB campaign

Spiral Toys got caught up in a spate of attacks against unsecured installations of the popular open source MongoDB NoSQL database - in which attackers capture the data and demand a ransom to restore it -  which occurred late last year.

MongoDB instances connected to the internet have long been targeted by attackers given the ease with which older versions of the software can be accessed.

But a recent spike in attacks over December and January saw at least five different operators attack over 10,500 servers in just a few weeks .

The attackers used tools like the Shodan.io scanning service to uncover unsecured databases within seconds.

Many affected database operators failed to back up their data, leaving them open to complete data loss. 

Shodan.io operator John Matherly has previously estimated the amount of data stored in vulnerable MongoDB instances to be over 364 TB.