Whoops: ‘AI’ Toy Company Leaks Chat Logs, Personal Data Of 50,000 Toddlers

https://fed.brid.gy/r/https://www.techdirt.com/2026/02/09/whoops-ai-toy-company-leaks-chat-logs-personal-data-of-50000-toddlers/

Ars Technica: Web portal leaves kids’ chats with AI toy open to anyone with Gmail account. “Without carrying out any actual hacking, simply by logging in with an arbitrary Google account, the two researchers immediately found themselves looking at children’s private conversations, the pet names kids had given their Bondu, the likes and dislikes of the toys’ toddler owners, their favorite […]

An #AI #Toy Exposed 50,000 Logs of Its #Chats With #Kids to Anyone With a #Gmail Account

#AIchat toy company #Bondu left its web console almost entirely unprotected. Researchers who accessed it found nearly all the conversations children had with the company’s stuffed animals.
#chat #privacy #security

https://www.wired.com/story/an-ai-toy-exposed-50000-logs-of-its-chats-with-kids-to-anyone-with-a-gmail-account/

Web portal leaves kids' #chats with #AI toy open to anyone with #Gmail acct

With just a few min work, he & a web #security researcher friend made a startling discovery: #Bondu ‘s web-based portal, intended to allow parents to check on their children's conversations & for Bondu’s staff to #monitor the products’ use & performance, also let anyone with a Gmail acct access transcripts of virtually every #conversation Bondu's child users have ever had with the toy.
#privacy

https://arstechnica.com/security/2026/01/web-portal-leaves-kids-chats-with-ai-toy-open-to-anyone-with-gmail-account/

"Without carrying out any actual hacking, simply by logging in with an arbitrary Google account, the two researchers immediately found themselves looking at children's private conversations, the pet names kids had given their Bondu, the likes and dislikes of the toys' toddler owners, their favorite snacks and dance moves.

In total, Margolis and Thacker discovered that the data Bondu left unprotected—accessible to anyone who logged in to the company's public-facing web console with their Google username—included children's names, birth dates, family member names, “objectives” for the child chosen by a parent, and most disturbingly, detailed summaries and transcripts of every previous chat between the child and their Bondu, a toy practically designed to elicit intimate one-on-one conversation. Bondu confirmed in conversations with the researchers that more than 50,000 chat transcripts were accessible through the exposed web portal, essentially all conversations the toys had engaged in other than those that had been manually deleted by parents or staff.

“It felt pretty intrusive and really weird to know these things," Thacker says of the children's private chats and documented preferences that he saw. “Being able to see all these conversations was a massive violation of children's privacy.""

https://www.wired.com/story/an-ai-toy-exposed-50000-logs-of-its-chats-with-kids-to-anyone-with-a-gmail-account/

#AI #GenerativeAI #AISafety #CyberSecurity #Bondu #AIToy #Privacy #DataProtection

An #AI #Toy Exposed 50,000 Logs of Its Chats With Kids to Anyone With a #Gmail Account

https://www.wired.com/story/an-ai-toy-exposed-50000-logs-of-its-chats-with-kids-to-anyone-with-a-gmail-account/

#Bondu #privacy #cybersecurity