An open database containing links to more than 2 million voice messages recorded on cuddly toys has been discovered, cybersecurity researcher Troy Hunt has revealed.
The messages were created by owners of CloudPets soft toys.
At one point, the data was even held to ransom, Mr Hunt says.
The animals are advertised as being toys that enable people to record and send greetings via a phone app and the toy itself.
The creatures are marketed as cuddly devices to connect children to working parents or grandparents.
They are currently on sale for a heavily discounted £6 in UK children’s store The Entertainer but are listed at $29.99 on the CloudPets US website.
The BBC has contacted California-based Spiral Toys, which makes the animals.
The email address on its website is bouncing messages back and Troy Hunt said the researcher who told him about the breach had tried three times to contact the firm using various addresses they found connected with it.
Troy Hunt wrote on his blog that the voice recordings were stored in the cloud and the database, which was left exposed on the net, reveals their exact location.
He also expressed concern that there were no password rules at all, meaning lots of people had selected passwords that were extremely easy to crack.
“Because there were no rules, lots of people created bad passwords,” he told the BBC.
“I did an exercise and found it was really easy to create them. Lots of people were using the password Cloudpets because that’s what people do.”
There appeared to be around 820,000 accounts visible.
Both Mr Hunt and British security researcher Ken Munro said the toy showed similar vulnerabilities to the Cayla doll, an internet-connected toy that was found to be easily breached and could even be hacked to spy on its owners.
German watchdog the Federal Network Agency (Bundesnetzagentur) has now advised parents who own a Cayla doll to destroy it.
Like Cayla, there is no Pin number required to sync CloudPets with other devices, Ken Munro explained.
“If you have a CloudPets bear, switch it off,” he said.
“It might be a good idea for people to try to delete their accounts – it’s possible that the recorded data might go.
“Try to remember what password you set for the account – and if you used it anywhere else, change it.”
Google has released details of a bug in Microsoft’s browsing programs that would allow attackers to build websites that make the software crash.
Google researcher Ivan Fratric said the bug could, in some cases, allow attackers to hijack a victim’s browser.
The bug was found in November, but details are only now being released after the expiry of the 90-day deadline Google gave Microsoft to find a fix.
Microsoft has yet to say when it will produce a patch that removes the bug.
In an explanation of how the bug arose, Mr Fratric said he was reluctant to reveal more details until it was patched.
He said he had expected Microsoft to address the bug before the 90-day deadline had expired.
The problem is found in Internet Explorer 11 as well as the Edge browser and arises because of the way both programs handle instructions to format some parts of web pages.
In a statement, Microsoft did not comment directly on the bug and its significance but said it had a “customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible”.
It added it was involved in “an ongoing conversation with Google about extending their deadline since the disclosure could potentially put customers at risk”.
So far, there is no evidence that malicious attackers are exploiting the problem unearthed by Mr Fratric.
The publication of information about the browser bug caps a difficult period for Microsoft and the security of its software.
Earlier this month, it cancelled a regularly monthly security update without explaining why.
The update was expected to include fixes for several significant vulnerabilities.
In the same month, other security researchers released information about a way to exploit a vulnerability in some Microsoft server code.
No fix has yet been released for this vulnerability.
Samsung has, for the first time since 2013, opted not to unveil a flagship Galaxy S smartphone at the Mobile World Congress tech show.
Instead, it showed off two new tablet computers and a virtual reality headset that comes with a remote control.
However, a new smartphone was briefly teased at the end of the company’s presentation at the Barcelona event.
Samsung said the new device would be unveiled on 29 March in New York.
“Not having [the successor to the S7] there will be a particular boon to Huawei,” noted tech analyst Tim Coulling at Canalys, referring to Samsung’s Chinese rival.
“But it’s known something is coming out, so the Samsung fans will probably be willing to wait.”
The hiatus follows trouble for the South Korean tech giant after its Galaxy Note 7 phone had to recalled twice, the second time permanently.
Faulty batteries in the devices led some to catch fire.
Campaign group Greenpeace made an unexpected appearance at the presentation. A protestor took to the stage with a banner saying “reduce, reuse, recycle” – apparently referring to the millions of Note 7 handsets that had to be withdrawn.
More protestors rolled out another banner on the side of the building where the press conference was taking place.
Of the new tablets, the Galaxy Tab S3 is the smaller of the two and comes with a 9.7in (24.6cm) screen. It is targeted at consumers who want to prioritise gaming and video playback.
The larger Galaxy Book comes in two sizes: 10.6in and 12in. Samsung said it was suited to “on-the-go professionals”. It comes with a snap-on keyboard and S-Pen stylus.
The S3 runs Android 7.0 Nougat while the Book’s operating system is Windows 10.
“Like most of its competitors, Samsung has seen its tablet sales erode in recent years, as larger smartphones have pushed into tablet territory,” noted Rhoda Alexander at analysts IHS Technology.
But she added that the organic light-emitting diode (OLED) displays and powerful specifications of the new tablets should help differentiate the products from competitors.
Samsung also launched a Gear VR headset and remote control.
As with previous generations, the headset is a tie-up with Facebook’s Oculus division.
The remote is designed for one-handed control. It features a touchpad that lets users select options within virtual reality apps, and motion sensors to detect hand movements.
In the past, owners had to use controls built into the headset or buy a third-party gamepad. That compared unfavourably with Google’s rival Daydream View headset, which featured a motion-sensing controller of its own.
The new Gear VR is compatible with the recent Galaxy S and Note handsets.
LG has ditched the modular design of its previous flagship smartphone and unveiled a new top-end model that is designed for split-screen uses.
To achieve this, the G6′s display has an 18:9 aspect ratio, rather than the 16:9 used by most handsets.
It means that when viewed in landscape mode, the screen appears wider than normal.
LG has acknowledged that last year’s G5 missed its sales targets. One analyst said the change in strategy was wise.
The new device was unveiled in Barcelona ahead of the opening of the Mobile World Congress (MWC) trade show.
LG’s new phone was also distinguished by being the first Android device announced to include Google Assistant – the search giant’s voice-controlled rival to Apple’s Siri – beyond Google’s own Pixel phone.
The G6′s display measures 5.7in (14.5cm) compared to the G5′s 5.3in (13.5cm) component. It is also brighter, adding support for high dynamic range (HDR) video playback. This makes compatible footage appear more vibrant and detailed in the shadows.
The new device can also be submerged underwater for up to half an hour.
Yet the G6 is thinner and slightly smaller than last year’s model thanks to the decision to abandon add-on components – such as a higher quality audio processor – and a return to an irremovable battery.
The new phone is designed around Android 7′s support for split-screen software, allowing two same-sized square interfaces to be seen either side-by-side or one-above-the-other, depending on how the phone is held.
Suggested uses include:
running two different apps alongside each other
displaying a monthly calendar in one box, and a day’s agenda in the other
showing a music album’s artwork and play controls in one interface, and a list of the songs it contains in the other
A further use of the split screens would be to help take square-shaped photos for the social network Instagram. When the phone is held vertically, the top box shows the live view from the camera while the bottom one displays the last photo taken. The idea is to make it possible to review an image without the risk of missing another key moment.
However, one side effect of the screen’s unusual aspect ratio is that many apps will have to be slightly stretched to fit it, unless the owner opts not to use the full screen.
LG acknowledges that the G6 is less radical than last year’s offering, but it hopes that means demand will be stronger than it was for the G5.
“I’d love to be sat here now saying that the mass market had adopted it and understood it – unfortunately that wasn’t the case,” Jeremy Daniels, head of sales for LG UK told the BBC.
“We proved the concept could be done, but actually we know that [this year] we had to tick a lot of boxes like water resistance and bigger battery.
“And that could only be done by moving to a design that was more appealing to the masses.”
LG is the world’s sixth bestselling smartphone maker, according to the research firm IDC. Figures indicate that the South Korean firm shipped 7% fewer handsets in 2016 compared to the previous year.
Despite the G5′s struggles, its unusual design won plaudits when it was unveiled a year ago.
The GSM association – a trade body representing the world’s mobile operators – even declared it the best device introduced at 2016′s MWC.
But one expert said the idea of adding functionality via add-on accessories – known as friends – proved to be unwieldy in practice.
“If you look at the way G5 worked – owners had to open the case, remove the battery and power down the device before putting in another friend – that concept was fatally flawed,” said Tim Coulling from the tech consultancy Canalys.
“Also because the phone had to be taken apart a lot, there were problems with dust and water.
“So, the decision to move back from modular to non-modular is completely the correct decision.”
Over the past year, Google has also cancelled its Project Ara modular smartphone concept.
But Lenovo continues to pursue the modular idea with its Moto Z devices, which do not need to be switched off when their parts are swapped.
Nokia’s 3310 phone has been relaunched nearly 17 years after its debut.
Many consider the original handset iconic because of its popularity and sturdiness. More than 126 million were produced before it was phased out in 2005.
The revamped version will be sold under licence by the Finnish start-up HMD Global, which also unveiled several Nokia-branded Android smartphones.
One expert said it was a “fantastic way” to relaunch Nokia’s phone brand.
“The 3310 was the first mass-market mobile and there’s a massive amount of nostalgia and affection for it,” commented Ben Wood from the technology consultancy CCS Insight.
“If HMD had just announced three Android devices they would have barely got a couple of column inches in the press.
“So, the 3310 is a very clever move and we expect it will sell in significant volumes.”
The announcement was made ahead of the start of the Mobile World Congress tech show in Barcelona. LG, Huawei and Lenovo are among others to have unveiled new devices.
Nokia no longer makes phones itself, but manufactures telecoms equipment, Ozo virtual reality cameras, and health kit under the Withings brand.
The new 3310 qualifies as a “feature phone” rather than a smartphone as it only provides limited internet facilities.
It relies on 2.5G connectivity – which has slower data speeds than 3G or 4G – and is powered by the S30+ operating system, which allows web browsing but has a much smaller range of apps than Android or iOS. Its single camera is also restricted to two megapixels.
However, its advantage over more powerful handsets is its battery life. HMD says the colour-screened phone has up to a month’s standby time and delivers more than 22 hours of talk time.
It also comes with the modern version of the classic game Snake preinstalled.
Its launch price is €49 ($51,75; £41.51).
“It’s almost like a digital detox or a holiday phone,” HMD’s chief executive Arto Nummela told the BBC.
“If you want to switch off to an extent but you still need to have a [mobile] lifeline, it’s a brilliant solution.
“Why wouldn’t you buy this like candy? If you see this hanging on the shelf at the checkout in a [see-through] package, then you’d just buy it as an accessory.”
There is no doubt what the headlines will be from the HMD Global Nokia event here in Barcelona – and they won’t be about a new range of slick Android smartphones.
Yes, the reboot of the Nokia 3310 is fun – and perhaps there is a huge audience for a return to a time when all you could do with a phone was make calls and play Snake.
But make no mistake, if this piece of nostalgia is the future of the Nokia brand then it is doomed. And of course the smart team at HMD Global know that. They haven’t built partnerships with Foxconn, Google and hundreds of operators around the world on the promise of a return to the 2G past.
It is phones like the Nokia 6 – apparently already selling well in China – which are key to any hopes of making the Finnish brand a force to be reckoned with again. But of course yet another slab of metal and glass running Android was never going to excite the analysts and journalists tired of overblown launches where the words “awesome” and “revolutionary” are thrown around like confetti.
Hence the decision to remind us of Nokia’s glorious past, where everyone seemed to have a phone with that familiar ringtone and nobody was asking to borrow a charger to get them through the day. A stroke of marketing genius then – but a risky strategy.
If the phone-buying public one now sees Nokia as a retro brand rather one which has been reinvigorated for the 4 and 5G future, then HMD may come to regret its 3310 gimmick.
Apple has replaced both the phone and the case that were damaged.
Brianna told the BBC that she had noticed a problem with the phone, which she bought in January, the day before it caught fire.
“It wouldn’t turn on so I took it into a store,” she said.
“They were able to get the phone on and ran diagnostics. They said nothing was wrong with it and everything was fine.”
But the next morning she woke to discover her phone on fire.
“I sleep with my phone next to me. It was on the bed right next to my head. My boyfriend actually moved the phone to the dresser and went into the bathroom,” she said.
“From the corner of his eye he saw the phone smoking and heard a squealing noise coming from it. I woke up because I heard the noise and then he started raising his voice.”
Brianna’s boyfriend grabbed the phone and moved it into the bathroom.
“Right when he put it there, it blew up and even more smoke was coming out,” she said. “The phone smelt so bad. I can’t really explain the smell but it was really strong. It made the whole apartment smell.”
Despite the problem with Brianna’s phone, there is no indication of a widespread problem with iPhone handsets.
A spokesperson told digital media website Mashable that the firm was “looking into” the issue.
But Brianna’s not sleeping with her phone so close for the time being.
“The past two nights it hasn’t been on my bed at all,” she said.
The video game publisher that won a case against Facebook-owned Oculus has asked a judge to block the firm from using its code in virtual reality products.
Earlier this month a US court ruled that Oculus had used ZeniMax’s code without permission.
If the ban is granted, it could limit the number of games available for sale with the Oculus Rift VR headset.
A spokeswoman for Oculus said that the company was continuing with its appeal.
Tera Randall told Reuters that the original verdict was “legally flawed and factually unwarranted”.
ZeniMax was awarded $500m (£398m) earlier in February when a jury found that Oculus, which Facebook bought in 2014, had violated a non-disclosure agreement.
‘A very big deal’
The jury also ruled that Oculus had infringed some of Zenimax’s copyrighted code – but did not agree that it had stolen its trade secrets.
Oculus has already made the disputed code available to companies that develop games and it is also embedded in many of the games available for use on the Oculus Rift headset and some on Samsung’s Gear VR, a device developed in partnership with Oculus.
If the judge enforces the ban, it could be a blow to the nascent technology, which Facebook has big ambitions for, said intellectual property lawyer Matt Jones, a partner at law firm EIP.
“It could be a very big deal. If they are granted the injunction, it will stop Oculus from using the code. It could get around that by writing new code but that would be time-consuming and expensive.
“Will this push Facebook towards a settlement? Quite possibly, as often injunctions hurt businesses more than damage settlements.”
Private messages exchanged on dating sites, hotel bookings and frames from adult videos were among the data inadvertently exposed by a bug discovered in the Cloudflare network.
The firm protects websites by routing their traffic through its own network, filtering out hack attacks.
It has 4 million clients, including banks, governments and shopping sites.
Customers wouldn’t necessarily know which of the online services they use run on Cloudflare as it is not visible.
The bug came to light while Cloudflare was migrating from older to newer software between 13 – 18 February.
Chief operating officer John Graham-Cumming said it was likely that in the last week, around 120,000 web pages per day may have contained some unencrypted private data, along with other junk text, along the bottom.
He told the BBC there was no evidence yet that the data had been used maliciously.
“I can’t tell you it’s zero probability that nobody saw something and did something mischievous,” he said.
“I am not changing any of my passwords. I think the probability that somebody saw something is so low it’s not something I am concerned about.”
“Unfortunately, it was the ancient piece of software that contained a latent security problem and that problem only showed up as we were in the process of migrating away from it,” he wrote.
The firm, whose strapline is “make the internet work the way it should”, has also been working with the major search engines to get the data scrubbed from their caches – snapshots taken of pages at various times.
It was discovered by Google engineer Tavis Ormandy, who compared it to the 2014 Heartbleed bug.