**An AI Toy Exposed 50K Logs of Its Chats With Kids to Anyone With a Gmail Account**

Imagine a stuffed dinosaur toy that doubles as an imaginary friend for your child, engaging in conversations and sharing secrets with them. Sounds like a harmless plaything, right? But what if I told you that this toy's manufacturer, Bondus, left its web-based portal wide open, exposing the private conversations of 50,000 children to anyone with a Gmail account?

Security researcher Joseph Thacker was approached by his neighbor earlier this month after she preordered two Bondus toys for her kids. She knew Thacker had worked on AI risks for kids and was curious about his thoughts on the toy's AI chat feature. Thacker took up the challenge, teaming up with web security researcher Joel Margolis to investigate.

With just a few minutes of work, they made a startling discovery: Bondus' web-based portal, intended for parents to monitor their children's conversations and for the company to track product use and performance, was also accessible to anyone with a Gmail account. By logging in with an arbitrary Google username, Margolis and Thacker found themselves browsing through thousands of private conversations between children and their Bondus toys.

The data exposed included children's names, birth dates, family member names, "objectives" chosen by parents for the child, and – most disturbingly – detailed summaries and transcripts of every previous chat between the child and their Bondu. It was as if the toy had been secretly sharing intimate conversations with anyone who happened to stumble upon the portal.

Imagine browsing through a database containing the pet names kids gave their Bondus toys, their favorite snacks and dance moves, or even the likes and dislikes of toddler owners. The sheer amount of personal data exposed was staggering – 50,000 logs of conversations, all accessible with just a Gmail account.

The researchers' findings raise serious concerns about the potential for misuse of this sensitive information. Who can access these records? Can they be used to target children for advertising or phishing attacks? The fact that no actual hacking was required to gain access only adds to the alarm.

Bondus, it seems, has some major security flaws to address. As a company that markets itself as a safe and engaging toy for kids, it's their responsibility to ensure that these sensitive conversations remain private. Until they take action to secure their portal, we can only imagine what other secrets are being shared – or exposed – through the Bondus toy.

As parents, we trust our children's toys to be harmless, but this incident serves as a stark reminder of the potential risks associated with AI-powered playthings. What will it take for companies like Bondus to prioritize security and protect their users' data?