As for Spiral’s response?
There is none, and might never be. Microsoft’s Troy Hunt and others have tried reaching out to Spiral multiple times to no avail. The company doesn’t appear to have notified customers despite obvious signs that something was amiss. From all indications, the company is on life support or dead. Its social media accounts have been silent for months, and its stock price is near worthless.
The kicker is that a lot of this would be entirely avoidable. Tod Beardsley, Rapid7 security research director, tells Engadget that all of the flaws could have been addressed. However, Spiral seemed “uniquely uninterested” in taking them on. While Rapid7 tends to get responses from companies “about 70% of the time” and almost always sees them implement a fix or workaround when they get in touch, it’s “increasingly rare” for a company to go completely silent.
It’s increasingly clear that connected toy makers are walking on glass when they decide to put kids’ communications online. Even if a company doesn’t do anything shady, it can only take a slip-up to expose extremely sensitive messages to the world. And that’s assuming skilled hackers don’t find it first, or that the company doesn’t go belly-up without a firm plan to erase stored data. This doesn’t mean that companies should abandon internet-capable toys altogether, but they need both weigh the merits of storing any info online and take very, very thorough precautions to make sure that leaks like this can’t happen.