Updated Two million voice recordings of kids and their families were exposed online and repeatedly held to ransom – because an IoT stuffed-toy maker used an insecure MongoDB installation.

Essentially, the $40 cuddly CloudPets feature builtin microphones and speakers, and connect to the internet via an iOS or Android app on a nearby smartphone or tablet. Families can use the fake animals to exchange voice messages between their children, friends, and relatives.

For example, a parent away on a work trip can open the CloudPets app on their smartphone, record an audio message, and beam it to their kid's toy via a tablet within Bluetooth range of the gizmo at home; the recording plays when the tyke press a button on the animal's paw.

Similarly, the youngsters can record messages using the stuffed creature, and send the audio over to their mom, dad, grandparent, and so on, via the internet-connected app.

Cute ... How CloudPets passes messages from app to toy

These voice clips, along with records of 820,000 CloudPets.com accounts associated with the each of the toys, have been left wide open on the internet, with no password protection – allowing gigabytes of sensitive material to potentially fall into the hands of criminals. And it's all due to the company's poorly secured NoSQL database holding 10GB of this internal information.

CloudPets' internet-facing MongoDB installation, on port 2701 at 45.79.147.159, required no authentication to access, and was repeatedly extorted by miscreants, evidence shows. The database contains links to .WAV files of voice messages hosted in the Amazon AWS S3 cloud, again accessible with no authentication, potentially allowing the mass slurping of more than two million highly personal conversations between families and their little ones.

It appears crooks found the database, presumably by scanning the public 'net for insecure MongoDB installations, took a copy of all the data, deleted that data on the server, and left a note demanding payment for the safe return of a copy of the database. This happened three times, we're told. Copies of data lifted from the CloudPets system has been passed between underground hacking groups, too, apparently.

Don't forget, anyone else wandering by the database could have swiped the records for themselves and kept quiet, so the information potentially could be in the hands of just about any miscreant. The IP address of the database is also the address of the backend web server used by the Android and iOS app accompanying the toy. That app was developed by Romanian biz mReady. The IP belongs to server host Linode, which is presumably providing the machine.

Computer security breach expert Troy Hunt, who maintains the HaveIBeenPwned website, was tipped off about the insecurity of CloudPets, a brand of Spiral Toys, and went public today with details of the cockup.

“This is kids' voices recorded on teddy bears,” Hunt told The Register after spending a week investigating the security blunder. “I can picture my four-year-old girl, sitting in her room – it's hard to picture a more innocent scenario – and all these actors have access to what she says to her teddy bear.”

As proof that CloudPets' security was hopeless, Hunt's informant provided him more than 580,000 records from the CloudPets database, along with screenshots of three attempts to alert the toy manufacturer to the gaping hole. Each warning, we're told, fell on deaf ears.

As Hunt dug deeper, things got more bizarre: yes, the account passwords in the database were hashed with bcrypt, but the website had no password rules, and its tutorial used only a three-character password – meaning many of the passwords were just a few characters and crackable anyway. The account records included email addresses, hashed login passwords, user IDs, and login times and dates.

Niall Merrigan, a Capgemini solution architect who investigates breaches on his own time, tracks MongoDB installations that have been held hostage on the open internet. He helped Hunt confirm the CloudPets' database was hit multiple times by extortionists.

Using internet device search engine Shodan.io to look at historic snapshots of exposed online systems, Merrigan found that in January, CloudPets' database was again and again deleted and replaced with DBs called "PLEASE_READ", "README_MISSING_DATABASES", and "PWNED_SECURE_YOUR_STUFF_SILLY" – a sign the data was being held to ransom for one Bitcoin at a time.

Hunt concluded: “The CloudPets data was accessed many times by unauthorised parties before being deleted and then on multiple occasions, held for ransom.” He's added the 800,000-plus email addresses in the vulnerable database to HaveIBeenPwned.com, so as to alert owners of CloudPets toys. He also warns against buying web-connected toys because it's too easy for a single design error to expose your children to snooping.

His advice to MongoDB sysadmins is simple: don't accept the default configuration that allows anonymous unauthenticated access, and instead secure your installation.

“I can see both sides of this,” Hunt told The Register. “People are screwing up, but to be honest, I haven't seen this with SQL Server, because you can't stand it up with anonymous open access. You need a baseline that forces you have an account and forces you to have a password.”

A spokesperson for CloudPets and Spiral Toys, based in California, was not available for immediate comment. ®

Updated to add

Spiral Toys has been in touch with a statement that is at odds with Hunt and co's findings. Spiral claims it learned of the security flaw on February 22; we've been shown evidence that the company was alerted in December, and that it addressed the vulnerabilities in mid-January by removing its MongoDB install from the public internet. Spiral claims the database was "password encrypted"; it was not, it was all plaintext and easily accessible from the outside world – and Hunt has quoted parts of the data store on his website. Spiral claimed no information was taken from its MongoDB installation; it quite clearly was. And it was deleted repeatedly by hackers demanding money.

"For the protection of our users, we are now requiring users to choose new increased security passwords," said Spiral spokesman Harold Chizick.

"An email will be sent out informing customers of the potential compromised login data and will give them a link to create a new password ... Once we have addressed our customers’ needs and we document the incident, we will file the cyber-crime report with the State Attorney General in California."

That report [PDF] suggests the MongoDB database was a staging store set up during development, and was not used in production. However, it is clear to El Reg the database was holding production data – records of more than 500,000 customers and links to their voice messages – and it was exposed to the public internet.