Essentially, the $40 cuddly CloudPets feature builtin microphones and speakers, and connect to the internet via an iOS or Android app on a nearby smartphone or tablet.
Families can use the fake animals to exchange voice messages between their children, friends, and relatives.
For example, a parent away on a work trip can open the CloudPets app on their smartphone, record an audio message, and beam it to their kid's toy via a tablet within Bluetooth range of the gizmo at home; the recording plays when the tyke press a button on the animal's paw.
Similarly, the youngsters can record messages using the stuffed creature, and send the audio over to their mom, dad, grandparent, and so on, via the internet-connected app.
These voice clips, along with records of 820,000 CloudPets.com accounts associated with the each of the toys, have been left wide open on the internet, with no password protection – allowing gigabytes of sensitive material to potentially fall into the hands of criminals.
And it's all due to a poorly secured NoSQL database holding 10GB of internal information.