AN AI plush toy from Bondu exposed a web console that let anyone with a Gmail account read about 50,000 private chats between children and their cuddly toys. The console allowed login with an arbitrary Google account, meaning two researchers could access transcripts from virtually every child who used the toy without any actual hacking. The chat logs included names, birth dates, family details and intimate conversations, with only those manually deleted by parents or company staff being unavailable.
Bondu took the console offline within minutes of disclosure and relaunched it with authentication, with the CEO saying fixes were completed within hours and that there was “no evidence” of other access, while a security firm was brought in and monitoring was added. The article notes that similar AI toys have previously drawn concern, including an AI teddy bear marketed by FoloToy that discussed unsafe topics. According to Malwarebytes, the piece was written by Pieter Arntz and published on 3 February 2026.