An AI-powered stuffed toy company just exposed the intimate conversations of thousands of children to anyone with a Gmail account. Security researchers Joseph Thacker and Joel Margolis discovered that Bondu, maker of AI chat-enabled dinosaur toys, left its entire web console unprotected - allowing strangers to access over 50,000 chat transcripts, children's names, birthdates, and detailed personality profiles with nothing more than a Google login. The breach raises urgent questions about how AI toy companies handle the deeply personal data they collect from kids.
When Joseph Thacker's neighbor mentioned she'd pre-ordered AI-powered stuffed dinosaurs for her kids, she asked the security researcher for his thoughts. What Thacker discovered in just minutes of poking around sent shockwaves through the child safety community.
Bondu, the startup behind these AI chat toys, had left its entire backend console wide open. Thacker and fellow researcher Joel Margolis didn't need to hack anything - they simply logged in with a Gmail account and found themselves staring at the private conversations of thousands of children. Pet names kids gave their toys. Favorite snacks. Dance moves. The intimate, unguarded thoughts children share with what they believe is a trusted companion.
The scale of the exposure is staggering. More than 50,000 chat transcripts sat accessible to anyone who stumbled upon Bondu's public-facing portal. Children's full names, birthdates, family member details, and "objectives" parents had set for their kids - all there for the taking. No authentication required beyond a basic Google account.
"It felt pretty intrusive and really weird to know these things," Thacker told WIRED. "Being able to see all these conversations was a massive violation of children's privacy."
Bondu CEO Fateen Anam Rafid says the company acted fast once alerted, taking down the console within minutes and implementing proper authentication the next day. In a statement to WIRED, Rafid claimed security fixes "were completed within hours" and that the company "found no evidence of access beyond the researchers involved." Bondu has since hired a security firm to validate its investigation and monitor systems going forward.
