ACCORDING to WIRED, Bondu’s web-based portal intended for parents to monitor conversations left transcripts from virtually every chat the toy had with its young users accessible to anyone who logged in with a Google account. Researchers Thacker and Margolis found that more than 50,000 chat transcripts were exposed, revealing children’s names, birth dates, family member names, and detailed summaries of conversations.
The flaw was fixed after the researchers alerted Bondu, which took down the console and relaunched the portal the next day with authentication measures, while stating that fixes were implemented within hours and no evidence of access beyond the researchers had been found. The incident raises concerns about how AI-enabled toys store and handle sensitive information about children, including whether third-party AI services receive conversation content.
Bondu responded that it uses third-party enterprise AI services to generate responses and run safety checks, but that it minimises data sent and applies controls, with prompts/outputs not used for training according to their statement.