{“lastseen”:”2026-02-03T18:07:53″,”description”:”Bondu\u2019s AI plush toy exposed a web console that let anyone with a Gmail account read about 50,000 private chats between children and their cuddly toys.\\n\\nBondu’s toy is marketed as:\\n\\n\\u003e \u201cA soft, cuddly toy powered by AI that can chat, teach, and play with your child.\u201d\\n\\nWhat it doesn\u2019t say is that anyone with a Gmail account could read the transcripts from virtually every child who used a Bondu toy. Without any actual hacking, simply by logging in with an arbitrary Google account, two researchers found themselves looking at children’s private conversations.\\n\\nWhat Bondu has to say about safety does not mention security or privacy:\\n\\n\\u003e \u201cBondu\u2019s safety and behavior systems were built over 18 months of beta testing with thousands of families. Thanks to rigorous review processes and continuous monitoring, we did not receive a single report of unsafe or inappropriate behavior from Bondu throughout the entire beta period.\u201d\\n\\nBondu\u2019s emphasis on successful beta testing is understandable. Remember the AI teddy bear marketed by FoloToy that quickly veered from friendly chat into sexual topics and unsafe household advice?\\n\\nThe researchers were stunned to find the company’s public-facing web console allowed anyone to log in with their Google account. The chat logs between children and their plushies revealed names, birth dates, family details, and intimate conversations. The only conversations not available were those manually deleted by parents or company staff.\\n\\nPotentially, these chat logs could been a burglar\u2019s or kidnapper\u2019s dream, offering insight into household routines and upcoming events.\\n\\nBondu took the console offline within minutes of disclosure, then relaunched it with authentication. The CEO said fixes were completed within hours, they saw \u201cno evidence\u201d of other access, and they brought in a security firm and added monitoring.\\n\\nIn the past, we’ve pointed out that AI-powered stuffed animals may not be a good alternative for screen time. Critics warn that when a toy uses personalized, human\u2011like dialogue, it risks replacing aspects of the caregiver\u2013child relationship. One Curio founder even described their plushie as a stimulating sidekick so parents, \\”don\u2019t feel like you have to be sitting them in front of a TV.\\”\\n\\nSo, whether it\u2019s a foul-mouth, a blabbermouth, or just a feeble replacement for real friends, we don\u2019t encourage using Artificial Intelligence in children\u2019s toys\u2014unless we ever make it to a point where they can be used safely, privately, securely, and even then, sparingly.\\n\\n## How to stay safe\\n\\nAI-powered toys are coming, like it or not. But being the first or the cutest doesn\u2019t mean they\u2019re safe. The lesson history keeps teaching us is this: oversight, privacy, and a healthy dose of skepticism are the best defenses parents have.\\n\\n * **Turn off what you can.** If the toy has a removable AI component, consider disabling it when you\u2019re not able to supervise directly.\\n * **Read the privacy policy. **Yes, I know**, **all of it. Look for what will be recorded, stored, and potentially shared. Pay particular attention to sensitive data, like voice recordings, video recordings (if the toy has a camera), and location data.\\n * **Limit connectivity.** Avoid toys that require constant Wi-Fi or cloud interaction if possible.\\n * **Monitor conversations.** Regularly check in with your kids about what the toy says and supervise play where practical.\\n * **Keep personal info private.** Teach kids to never share their names, addresses, or family details, even with their plush friend.\\n * **Trust your instincts.** If a toy seems to cross boundaries or interfere with natural play, don\u2019t be afraid to step in or simply say no.\\n\\n\\n\\n* * *\\n\\n**We don ‘t just report on privacy\u2014we offer you the option to use it.**\\n\\nPrivacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.”,”published”:”2026-02-03T16:55:51″,”modified”:”2026-02-03T16:55:51″,”type”:”malwarebytes”,”title”:”An AI plush toy exposed thousands of private chats with children”,”source”:””,”references”:””,”id”:”MALWAREBYTES:D54CF63A85D49D416812EBD13C93E4F7″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2026\/02\/an-ai-plush-toy-exposed-thousands-of-private-chats-with-children”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-03T18:07:53″,”description”:”Bondu\u2019s AI plush toy exposed a web console that let anyone with a Gmail account read about 50,000 private chats between children and their cuddly…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-38826","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n