CloudPets users/owners- something went terribly wrong

dashcloud shared some links said Mon, Feb 27th 2017 at 6:48pm ET

Hi unfortunate CloudPets users/owners, the company behind your toy leaked & then lost all of your data (multiple times until there was nothing left to lose).
It’s deeply unfortunate for you, and any password on the site has to be considered compromised & known to attackers (good job on using bcrypt, but not including any restrictions on passwords negates that entirely).
Here’s the story: https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/
Here’s what you can do: Get rid of the toy, pass the story along, and check any email addresses you used on the site with https://haveibeenpwned.com/ and then change passwords accordingly.

6 comments, 10 replies
Comment

CaptAmehrican said Mon, Feb 27th 2017 at 7:07pm ET:

So cloudpets on meh soon?

10
- Reply
- Whisper
- @CaptAmehrican Or Woot. Afterall, they sold Pebbles even after Fitbit said they will no longer be supported. And Amazon did take all the listings down for Cloud Pets …
  
  narfcake said Mon, Feb 27th 2017 at 10:34pm ET
  - 1
  - Reply
  - Whisper
Seeds said Mon, Feb 27th 2017 at 7:19pm ET:

That is really fucking creepy.

6
- Reply
- Whisper
narfcake said Mon, Feb 27th 2017 at 9:57pm ET:

Great read … and it explains why I’m not on board for so many “smart” devices.

5
- Reply
- Whisper
- @narfcake
  
  Thankfully though, not every company which makes internet connected devices would overlook security.
  
  PlacidPenguin said Mon, Feb 27th 2017 at 10:01pm ET
  - 2
  - Reply
  - Whisper
- @PlacidPenguin True. Still, I can’t help but to feel the KISS principle can work well enough. My $5 plug-in dusk-to-dawn switch works pretty well at determining when to turn on the lights when it’s dark without the need for an internet connection, an account setup, referencing databases for sunset and sunrise times, etc.
  
  narfcake said Mon, Feb 27th 2017 at 10:08pm ET
  - 10
  - Reply
  - Whisper
jbartus said Mon, Feb 27th 2017 at 10:17pm ET:

A sobering reminder of how important the fundamentals are for information security.

3
- Reply
- Whisper
- @jbartus
  
  thismyusername said Tue, Feb 28th 2017 at 1:59am ET
  - 6
  - Reply
  - Whisper
ilyashap said Tue, Feb 28th 2017 at 12:29am ET:

And after that lil happy story, read this one. Cloudbleed data leak.

https://www.wired.com/2017/02/crazy-cloudflare-bug-jeopardized-millions-sites/Cloudbleed data leak.

3
- Reply
- Whisper
- @ilyashap In their defense, they handled it really well. Far better than most companies do. Full disclosure, technical details, timeline, all publicly available online.
  
  CailiaBlue said Tue, Feb 28th 2017 at 2:19am ET
  - 3
  - Reply
  - Whisper
- @AiliaBlue First I heard about this is the email I got tonight from one of my password manager programs, saying that all of them are safe through the program but not so much site side wise.
  
  ilyashap said Tue, Feb 28th 2017 at 2:55am ET
  - 1
  - Reply
  - Whisper
- @ilyashap They discuss it here and they say about 0.00003% of requests to them were affected - it’s extremely rare. They weren’t going to email any non-customers either.
  
  https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
  
  CailiaBlue said Tue, Feb 28th 2017 at 10:32am ET
  - 2
  - Reply
  - Whisper
CailiaBlue said Tue, Feb 28th 2017 at 1:33am ET:

Infosec folks I know say “The S in IoT stands for security.”

11
- Reply
- Whisper
- @AiliaBlue
  Then I’m glad it’s a capital “S”. : (
  
  f00l said Tue, Feb 28th 2017 at 2:02am ET
  - 3
  - Reply
  - Whisper
- @AiliaBlue …but there is no S in IoT.
  
  miko1 said Tue, Feb 28th 2017 at 7:17am ET
  - 2
  - Reply
  - Whisper
- @miko1
  Exactly.
  
  f00l said Tue, Feb 28th 2017 at 7:40am ET
  - 6
  - Reply
  - Whisper