Researchers find that a new children's AI toy might be putting them in serious danger
A recent security discovery reveals how easy it was to peek into kids' lives.
We buy toys to keep our kids entertained and happy, but we never expect those toys to act like a two-way mirror for the rest of the internet. Imagine your child telling their favorite stuffed dinosaur a secret, only for that "secret" to be stored on a website that literally anyone with a basic Gmail account could access. It sounds like a plot from a futuristic thriller, but it recently became a very real reality for families using a new line of AI-enabled toys.
In a recent report, security researchers discovered a massive hole in the digital walls of Bondu, a company that makes AI-powered stuffed animals. These toys are designed to be a child’s first "smart" friend, using artificial intelligence to hold actual conversations. However, the web portal meant for parents to check in on their kids’ progress was left completely unsecured.
The researchers found that they didn't even need to be hackers to see the data. By simply logging in with any random Google account, they were granted access to the personal lives of thousands of children. The company later confirmed that over 50,000 chat transcripts were exposed before they managed to pull the portal offline and resolve the issue.
When the researchers gained access, they stumbled upon a treasure trove of sensitive information that really should have been under lock and key. Instead of a secure vault, they found full names and birthdays of the children, the specific pet names kids had given to their toys, and even detailed lists of their likes, dislikes, and favorite snacks. Most concerning of all were the full written transcripts of every single conversation the child had ever had with the toy, along with the "objectives" parents had set for their child’s development.
This isn't just a simple technical glitch, it is a warning sign about the "smart" toy industry as a whole. While the company fixed this specific hole quickly, the fact that it existed in the first place is terrifying. These toys are practically designed to get kids to open up, sharing their deepest thoughts and feelings with a machine.
In the wrong hands, such data is more than just a privacy violation. Experts noted that knowing a child's favorite snack, their pet's name, and their daily routine is a kidnapper’s dream because it provides all the tools needed to manipulate or lure a child into a dangerous situation. Furthermore, since these toys often use third-party AI services like Gemini or GPT5 to generate responses, your child’s data might be traveling through more companies than you realize.
I love new tech as much as anyone, but this story makes my skin crawl. There is something inherently weird about a stuffed animal keeping a permanent log of every word a toddler says. Even if the security is fixed now, we have to ask ourselves if we really want this kind of data to exist in the first place.
I wouldn’t put one of these in my house, and I certainly wouldn't gift one to a friend. The risk of a privacy nightmare far outweighs the novelty of a talking dinosaur. If a company can forget to put a basic lock on a door containing 50,000 transcripts of children talking, it shows they might be prioritizing cool features over basic safety.
A very open door to your child's secrets
In a recent report, security researchers discovered a massive hole in the digital walls of Bondu, a company that makes AI-powered stuffed animals. These toys are designed to be a child’s first "smart" friend, using artificial intelligence to hold actual conversations. However, the web portal meant for parents to check in on their kids’ progress was left completely unsecured.
The personal details left exposed
When the researchers gained access, they stumbled upon a treasure trove of sensitive information that really should have been under lock and key. Instead of a secure vault, they found full names and birthdays of the children, the specific pet names kids had given to their toys, and even detailed lists of their likes, dislikes, and favorite snacks. Most concerning of all were the full written transcripts of every single conversation the child had ever had with the toy, along with the "objectives" parents had set for their child’s development.
Information that was left exposed in the Bondu admin panel. | Images credit — Joseph Thacker
Why this is a major red flag for parents
Bondu toy ad. | Video credit — Bondu
Sure, you might argue that we install smart devices in our homes all the time, like Alexa and Google Home devices that may or may not be listening to our conversations. However, these are decisions we make as adults and not something we normally hand to unsuspecting children. At least not knowingly, and not in the form of a toy that they can confess all their wants and needs to.
How do you feel about AI-powered toys for kids?
Thoughts on the AI toy trend
I love new tech as much as anyone, but this story makes my skin crawl. There is something inherently weird about a stuffed animal keeping a permanent log of every word a toddler says. Even if the security is fixed now, we have to ask ourselves if we really want this kind of data to exist in the first place.
I wouldn’t put one of these in my house, and I certainly wouldn't gift one to a friend. The risk of a privacy nightmare far outweighs the novelty of a talking dinosaur. If a company can forget to put a basic lock on a door containing 50,000 transcripts of children talking, it shows they might be prioritizing cool features over basic safety.
Follow us on Google News
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed:
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts: