Post Content


Using a password doesn’t necessarily mean you’re protected from others being able to access your personal information and in some cases, your voice recordings. The company Spiral Toys launched an innovative product in 2015 called CloudPets which allows family and friends to relay voice messages to a young one through a stuffed animal toy. It sounds simple and innocent enough, but be aware of the recently discovered data breach that internet security researchers have discovered and reported on.

In order to send messages, the toy is connected to a mobile app. For instance, if a mother is away and wants to send a message to her children, she records her voice message in the app. It is then sent over Wi-Fi so that at home, the father will receive the message on the same app through the same account, and he can then transmit that message to the nearby toy. The children play the message by squeezing the toy’s paw and then can send a message back the same way.

The issue that these computer security experts have found is that CloudPets’ database, where the voice recordings and information about CloudPets’ more than 800,000 accounts is stored, has lax security. Customers’ emails, passwords and personal recordings were all at risk of being accessed by hackers. While passwords were encoded in the database, a hacker could have access to the email and the account if they were able to guess the password. CloudPets had no requirement for password complexity – a password of “a” is suitable for the system – so numerous users might have common passwords that are easy to guess, such as “password” or “12345,” which would then give them access to accounts and voice recordings bypassing the database.

Several security researchers and customers have claimed that they have reached out to Spiral Toys prior to the breach becoming public, voicing their worries about the exposed database and the possibility for hacking. Phone calls were not answered or returned, and emails bounced back as having been sent to an inactive address.

However, Spiral Toys CEO Mark Myers publically stated that the company never received any warnings and was only made aware of the problem recently. Even then, they determined the problem to be “very minimal,” further stating that “the headlines that say that 2 million messages were leaked on the internet are completely false.” He has also made the claim, “Were the voice recordings stolen? Absolutely not,” after security researcher Troy Hunt first broke the story on February 28.

Since January 13th, the CloudPets database has not been publicly accessible. They did not notify their customers about the data breach because they claim that there was no evidence that hackers had accessed customer accounts. The company is also now planning on resetting all user passwords as a form of protection and has speculated that maybe they will need to require a more complex password for user accounts.

Still, they never responded to any inquiries about the security flaw until it became public knowledge. California, the state where Spiral Toys is based, has laws requiring companies to report any data breaches where personal information has been exposed. Massachusetts has similar laws where the state must be notified if any Massachusetts residents are affected. No such reports have been filed and it is not unreasonable to assume that there are Massachusetts consumers with CloudPets apps and accounts.

If you own a CloudPet, the Office of Consumer Affairs and Business Regulation has a few tips for maintaining your security and privacy.

  1. When creating any new account for the first time, the password for that account should be a unique one that is not associated with any of your other online accounts (Facebook, email, Twitter, etc.)
  2. Passwords should be complex to prevent hackers from easily cracking them and accessing data. A complex password should be long, at least eight characters, including upper and lowercase letters, numbers, and special characters (such as ! or /).
  3. Current users should change their CloudPets passwords if they use that password anywhere else.
  4. Avoid sending highly personal messages, like full names or locations, over the CloudPets messaging system.

If you have additional questions, contact the Office of Consumer Affairs and Business Regulation by calling our Consumer Hotline at (617) 973-8787, or toll-free in MA at (888) 283-3757, Monday through Friday, from 9 am-4:30 pm. Follow the Office on Facebook and Twitter, @Mass_Consumer. The Baker-Polito Administration’s Office of Consumer Affairs and Business Regulation along with its five agencies work together to achieve two goals: to protect and empower consumers through advocacy and education, and to ensure a fair playing field for all Massachusetts businesses. The Office also oversees the state’s Lemon Laws, data breach reporting, Home Improvement Contractor Program and the state’s Do Not Call Registry.


Written By:

Recent Posts

Home Improvements That You Can Do in the Winter posted on Feb 19

Home Improvements That You Can Do in the Winter

Are you thinking about starting home improvement projects, but would rather wait for the spring or summer months? While hiring contractors and beginning work on such projects seem more like tasks for warmer weather, the winter may be an excellent time to assess the state   …Continue Reading Home Improvements That You Can Do in the Winter

Precautions to Take When You Encounter a Romance Scam posted on Feb 10

Precautions to Take When You Encounter a Romance Scam

Every year on February 14th, Valentine’s Day encourages trading gifts, purchasing roses, and special romantic evenings with your partner. It could be the day your sweetheart looks forward to the most in February. Though it may be the most romantic day of the year, you   …Continue Reading Precautions to Take When You Encounter a Romance Scam

Roslindale Homeowners Receive HIC Guaranty Fund Check posted on Jan 31

Roslindale Homeowners Receive HIC Guaranty Fund Check

On Friday, January 24th, the Undersecretary of the Office of Consumer Affairs and Business Regulation, Edward A. Palleschi, presented two Roslindale homeowners with checks from the Home Improvement Contractor (HIC) Guaranty Fund, a fund that is administered by the Office. The homeowners received checks for   …Continue Reading Roslindale Homeowners Receive HIC Guaranty Fund Check