[1][2] The plush teddy bear-style toys used Bluetooth to connect to a parent's smartphone to allow distant family members to send voice messages to the toy, and allow children to send voice messages back.
[3] Security researchers demonstrated that the toy itself was insecure and could be trivially accessed via Bluetooth.
The personal records of over 820,000 owners of the toy[4] were stored in an insecure MongoDB database.
Attackers also replaced the database with a ransom demand pointing to a Bitcoin address.
The database of user records also contained links pointing to over 2.2 million audio files hosted on Amazon Web Services containing the voice messages sent to and from the toys.