CloudPets users/owners- something went terribly wrong
11Hi unfortunate CloudPets users/owners, the company behind your toy leaked & then lost all of your data (multiple times until there was nothing left to lose).
It’s deeply unfortunate for you, and any password on the site has to be considered compromised & known to attackers (good job on using bcrypt, but not including any restrictions on passwords negates that entirely).
Here’s the story: https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/
Here’s what you can do: Get rid of the toy, pass the story along, and check any email addresses you used on the site with https://haveibeenpwned.com/ and then change passwords accordingly.
- 6 comments, 10 replies
- Comment
So cloudpets on meh soon?
@CaptAmehrican Or Woot. Afterall, they sold Pebbles even after Fitbit said they will no longer be supported. And Amazon did take all the listings down for Cloud Pets …
That is really fucking creepy.
Great read … and it explains why I’m not on board for so many “smart” devices.
@narfcake
Thankfully though, not every company which makes internet connected devices would overlook security.
@PlacidPenguin True. Still, I can’t help but to feel the KISS principle can work well enough. My $5 plug-in dusk-to-dawn switch works pretty well at determining when to turn on the lights when it’s dark without the need for an internet connection, an account setup, referencing databases for sunset and sunrise times, etc.
A sobering reminder of how important the fundamentals are for information security.
@jbartus
And after that lil happy story, read this one. Cloudbleed data leak.
https://www.wired.com/2017/02/crazy-cloudflare-bug-jeopardized-millions-sites/Cloudbleed data leak.
@ilyashap In their defense, they handled it really well. Far better than most companies do. Full disclosure, technical details, timeline, all publicly available online.
@AiliaBlue First I heard about this is the email I got tonight from one of my password manager programs, saying that all of them are safe through the program but not so much site side wise.
@ilyashap They discuss it here and they say about 0.00003% of requests to them were affected - it’s extremely rare. They weren’t going to email any non-customers either.
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
Infosec folks I know say “The S in IoT stands for security.”
@AiliaBlue
Then I’m glad it’s a capital “S”. : (
@AiliaBlue …but there is no S in IoT.
@miko1
Exactly.