AI toy company exposed over 50,000 chat logs of kids
What's the story
Bondu, a company that makes AI chat-enabled toys, has experienced a major data exposure. The company's web console was found to be largely unprotected, exposing nearly all conversations children had with the company's stuffed animals. The flaw was discovered by security researcher Joseph Thacker and his colleague Joel Margolis while looking into the safety of these toys for kids.
Data breach
Web portal exposed children's private conversations
Bondu's web portal, designed for parents to monitor their children's chats and company staff to assess product use and performance, was found to be vulnerable. The researchers were able to access transcripts of nearly every conversation Bondu's child users had with the toy by simply logging in with a random Gmail account. This included personal information such as children's names, birth dates, family member names, and detailed summaries of their chats with the toy.
Company statement
Company's response to the data breach
Upon being alerted by Thacker and Margolis, Bondu took down the vulnerable console within minutes and relaunched it the next day with proper security measures. The company's CEO Fateen Anam Rafid said in a statement that security fixes for the issue were completed within hours. He added that they found no evidence of access beyond what was accessed by the researchers involved in this matter.
Privacy implications
Concerns over AI-enabled chat toys for kids
The researchers argue that this incident highlights the risks of AI-enabled chat toys for kids. They were able to see how much information these companies store on children, including every chat history to improve future conversations with their owners. Despite Bondu's fix, questions remain about who within these companies has access to this data and how their access is monitored and secured.
Security risks
Potential misuse of children's data
Margolis warned that sensitive information about a child's thoughts and feelings could be used for nefarious purposes. He said, "This is a kidnapper's dream." The researchers also noted that Bondu appears to use Google's Gemini and OpenAI's GPT5, potentially sharing information about kids' conversations with these companies. In response, Rafid confirmed they do use third-party enterprise AI services but take precautions to minimize what's sent and ensure contractual and technical controls are in place.