Security

Bondu AI toy leaked 50,000 kids' chats

Krishn patel

Krishn patel

2 min read
Bondu exposed 50,000 kids' AI chat logs
Kids' Chat Leak
  • Bondu left a web console almost entirely unprotected, allowing broad access.
  • Researchers who accessed it found nearly all conversations children had with Bondu’s AI stuffed animals.
  • About 50,000 chat logs were exposed and available to anyone with a Gmail account.
  • The incident raises immediate privacy and safety concerns for children and parents.

What happened

Bondu, the maker of AI-powered stuffed animals, left its web console largely unprotected, researchers report. The console could be accessed by anyone with a Gmail account, enabling broad viewing of stored data.

What was exposed

Researchers who accessed the console found roughly 50,000 chat logs — described as nearly all the conversations children had with the company’s stuffed animals. Those logs appear to contain transcripts of the interactions between kids and the AI toy.

Why this matters

Chat logs from children's interactions can include sensitive personal details, habits, and behavioral information. Exposure of these transcripts creates privacy and safety risks for families and could invite misuse by bad actors.

The fact that access required only a Gmail account underscores how weak access controls can turn private data into public data. Any device or service handling children's data needs robust authentication and logging to prevent exactly this kind of exposure.

Suggested next steps

Security experts typically recommend immediate actions in cases like this: secure or remove the exposed console, rotate credentials and API keys, audit who accessed the logs, and apply strong access controls and encryption.

For parents, the prudent response is to check communications from the toy maker, limit further use of the device until the issue is resolved, and review any account settings tied to the toy. It’s also reasonable to ask the company which conversations were affected and whether identifying information was included.

Regulatory and reputational risks

An exposure of children's chat data invites scrutiny from regulators and could trigger legal obligations depending on where affected families live. Companies handling kids' information face elevated obligations and reputational damage when protections fail.

The bottom line

Bondu’s exposed web console made roughly 50,000 children’s chat transcripts accessible to anyone with a Gmail account. The discovery by researchers highlights the real-world consequences of weak security controls on devices designed for kids. Families and the company should expect follow-up on containment, notification, and remediation.

Read more