A serious privacy breach has been uncovered involving a popular AI-enabled plush toy made by Bondu, raising major concerns about how children’s data is stored and protected by smart devices.

Bondu’s cuddly dinosaur-shaped toy is marketed as:

“A soft, cuddly toy powered by AI that can chat, teach, and play with your child.”

However, security researchers discovered that — contrary to what parents might expect — anyone with a basic Google (Gmail) account could access the private conversations children had with these toys.

How the Exposure Happened

Two researchers, working independently, found that Bondu’s public web portal — the interface meant for parents to view transcripts — was incorrectly configured. Instead of requiring secure authentication, the portal:

• Allowed anyone with any Gmail account to log in.
• Then granted access to transcripts from virtually every child who had interacted with a Bondu toy.

In total, roughly 50,000 private chat logs were left exposed.

These logs contained a frightening amount of personal information, including:

• Children’s names
• Birthdates
• Family information
• Full transcripts of their conversations with the toy

Given the level of detail in these chat logs, the data could easily be misused by malicious parties — from profile building to targeted social engineering.

And what’s more, this exposure didn’t require any “hacking” in the traditional sense — just logging into a poorly secured portal with a Gmail account.

Bondu’s Response

Once the issue was reported, Bondu took the portal offline within minutes. The company later relaunched it with proper authentication measures in place and brought in outside security experts to audit their systems. The company also claims that:

• Fixes were implemented within hours.
• There’s currently no evidence that anyone outside the two researchers accessed the data.

Despite these assertions, the incident has sparked alarm among privacy experts and lawmakers alike.

Wider Implications & Regulatory Scrutiny

The breach has drawn political attention in the U.S. In a letter to Bondu’s CEO, a U.S. Senator demanded clarification on:

• What security failures allowed the exposure.
• Who exactly may have accessed the data.
• Whether the use of third-party AI systems may have contributed to the flaw.

This type of incident highlights deeper issues in the industry, where AI products for children may be developed and deployed without mandatory privacy-by-design standards.

Unlike traditional toys or apps, AI companions like Bondu’s plush are designed to create long-running, personal conversations with children. That means they record, process, and store data that could be extremely sensitive — and without robust security controls, that data becomes a serious liability.

What This Means for Parents

Experts stress that this incident is a cautionary tale for families considering AI toys. The risks aren’t just about what the toy says — they’re also about how the toy stores and protects data.

Security recommendations for parents include:

• Closely reviewing privacy policies for connected toys.
• Limiting what kinds of personal data are shared with cloud-connected devices.
• Considering disabling internet features when not in use.
• Monitoring any accounts connected to smart toys for unusual access.

Broader Context — Not an Isolated Event

This isn’t the first time that connected toys have raised privacy alarms — a historical data breach involving another toy line back in 2017 illustrated how insecure these systems can be when poorly implemented. That incident exposed millions of voice messages and user records.

Today’s AI-powered toys extend that risk further: they not only collect voice data but store full conversational logs, often in cloud systems, creating a larger and more sensitive data footprint than ever before.