ArsTechnica is reporting today on analysis from Troy Hunt (creator of HaveIBeenPwned) that over “2 million voice recordings of parents and their children” have been exposed to intruders. References to these recordings were contained in two password-unprotected databases of ~10GB each, “cloudpets-staging” and “cloudpets-testing,” with the references themselves pointing to unsecured AWS S3 files — anyone who knows the relevant URLs can access the files on AWS. Hunt believes that the following information is also available in the database:
- References to also-unsecured profile pictures hosted on AWS
- Day and month of birth
- Relationship data of those who have been authorised to share messages
Even worse, a search in Shodan reveals that the databases may have been accessed by a number of individuals before eventually being ransomed to its owners. Because of the ransom (plus the fact that at least four prior reports of the issue were sent from security researchers), there is almost no way CloudPets was not aware of the breach, yet they made no attempt to alert their customers of the leak until Hunt’s reporting on it. When they did respond they appeared to lie about the situation. (Among other apparent lies, they reported that all customer passwords were invalidated, yet Hunt was still able to login with his.)
For what it’s worth, I don’t personally consider the CloudPets software design to be problematic. While the AWS S3 URLs are unsecured, they are also effectively impossible to guess — you do need to know the URLs in order to access the files. There would be no issue, then, if the databases were not leaked. Rather, it was the ease with which CloudPets made them available — using no password on public-facing servers — that is inexcusable in this situation.
And I do think the idea of being able to share messages between parents and children is quite cute. The Internet-of-Things is much maligned, but in this particular case I can see value. Perhaps, next time, you could integrate with Google or DropBox accounts instead, rather than having your own centralised logins?