Teddy Bears are Poor Confidants

I've talked a lot about the need to secure internet connected devices. Sometimes the conversation can get a little esoteric. Here's something to bring it back to earth.

A company that sells internet-connected teddy bears that allow kids and their far-away parents to exchange heartfelt messages left more than 800,000 customer credentials, as well as two million message recordings, totally exposed online for anyone to see and listen.

Ok, stolen customer credentials, that's called Wednesday over at Yahoo! Don't worry, it gets worse.

The CloudPets database is making the rounds in the internet underground, according to both Hunt and Victor Gevers, the chairman of the non-profit GDI Foundation which discloses security issues to affected victims. Gevers saw the database while it was exposed online at the end of last year, and said it contained data on 821,396 registered users, 371,970 friend records (profile and email) and 2,182,337 voice messages.
The voice messages themselves were not in the database, according to the researchers. But Hunt found out that they were stored in an Amazon S3 bucket that doesn't require authentication. So as long as hackers could guess the URL of the files, they could listen to the messages. Hunt said he believes that was definitely possible. Moreover, many customers used incredibly weak passwords such as 123456 or "cloudpets," (in part probably because the app allowed users to create accounts even with as short a password as "qwe," as this video shows), making it trivial to log into their accounts and listen to the saved messages.

Why on earth was CloudPets storing these messages to begin with?