On February 22nd, 2017, we were notified of a data breach involving some CloudPets user data. Immediately after being contacted, we launched an internal investigation.
What We Found
What we found is that limited CloudPets user data may have been accessed as part of an exploit targeting the database software we temporarily used, sometime between December 25th 2016, and the first week of January, 2017. The affected database was being temporarily used by 3rd party developers performing an upgrade to the CloudPet’s app.
This same exploit affected over 28,000 databases using the same software. The hackers would delete the affected databases, and then hold the user information for ransom. But, because the affected CloudPets database was only temporarily used as part of a migration, we never noticed a ransom demand.
Customer data has been wiped from the affected database, and no current customer data is stored in a database exposed to the vulnerability.
What Data Could Have Been Taken?
The affected database contained the following information from users of the CloudPets app:
- Email Addresses
- Encrypted Passwords
The passwords in the database were encrypted to ensure that even if hackers obtained the database, they wouldn’t be able to read or use user-passwords except for in exceptional circumstances.
Were CloudPets Recordings Accessed?
Contrary to the claims being made by some articles and blog posts, the affected database contained no CloudPets recordings or messages.
Recordings are accessed by logging in to the CloudPets app with a legitimate username and password. Because the passwords in the affected database were encrypted, they could not be used to access a user account in most circumstances.
The exception would be accounts owned by a small minority of users who used very simple passwords, easily guessed passwords, or who may have re-used passwords that could have been stolen as part of a data breach from another application or website.
Protecting Our Users
Protecting our user’s privacy is very important to us, particularly when children are involved. We’re taking several steps to make sure that your account and recordings are safe:
- We’re requiring all app users to reset their passwords effective immediately.
- We’re implementing new password security requirements to help make sure our users aren’t using easily guessable, or overly simple passwords.
These steps will make sure that your CloudPets recordings are secured going forward.
How can I protect myself from issues like this?
There are a few important security practices that can help protect yourself online:
- Use a unique password for every application or website you register for.
- Use passwords that are at least 8-characters in length.
- Don’t use easily guessable or common passwords, like “ChangeMe”, “thisisapassword” or the name of your favorite sports team.
Why did it take so long to learn about the data breach?
Our third party developers didn’t detect the original data breach because the affected database was only being used temporarily. While some security researchers attempted to contact us prior to February 22nd, we never received those contacts, and we’re looking into why that may have happened. As soon as we became aware of the breach, we investigated the incident and took all necessary steps to ensure that the data on the server is now safe.
What can I do if I have additional questions?
Please submit a support ticket, and we’ll be happy to assist you.