AI

AI Toy Data Leak Exposes Kids

AI Toy Data Leak Exposes Kids as 50,000+ voice recordings from smart toy Codi are exposed due to poor security.
AI Toy Data Leak Exposes Kids
Editorial Team
by Editorial Team
Feb 5, 2026, 9:06 pm | Updated Mar 13, 2026 at 10:30 pm

Introduction

The alarming news that an AI toy data leak exposes kids has sent shockwaves through the tech and parenting communities. A widely used smart toy, “Codi,” unintentionally exposed the voices, identities, and conversations of more than 50,000 children due to an unsecured Firebase cloud database. Security researchers uncovered that the tool was saving personal data with zero authentication restrictions, putting young users at risk of surveillance, exploitation, and privacy violations. This event not only raises serious concerns for families but also highlights critical failures in child data protection laws like COPPA and GDPR. It underscores the urgent need for reform, accountability, and secure design in AI-powered children’s products.

Key Takeaways

  • Over 50,000 children’s chats and voice recordings from the Codi smart toy were publicly accessible due to a misconfigured Firebase database.
  • The breach shows persistent security weaknesses in IoT-connected toys and weak enforcement of child data protection regulations.
  • Experts warn this reflects a broader trend of inadequate privacy controls in products made for young users.
  • Legal frameworks like COPPA and GDPR are struggling to keep pace with advances in AI and consumer tech.

What Happened? Inside the Codi Data Leak

Security researchers recently disclosed a critical vulnerability in the backend systems of Codi, an AI-powered smart toy designed for children. The toy stored voice logs, user chat histories, and identifying metadata in a Google Firebase database that had no password, no authentication, and no data access restrictions.

This misconfiguration allowed anyone with sufficient technical knowledge and internet access to retrieve and listen to conversations between children and the toy. Binary analysis conducted by experts revealed the database included voice messages, usernames, timestamps, user device IDs, and even some parental account details.

The exposed data was discovered by a group of ethical hackers using open-source intelligence methods. After confirming the severity of the leak, they responsibly disclosed the issue to the toy manufacturer and released a public advisory after the vulnerability was addressed.

This breach raises major concerns about smart toy privacy risks, particularly with AI technologies and cloud infrastructure involved. Children cannot legally or cognitively consent to data collection. Exposure of their interactions represents a serious breach of trust and safety. In the United States, children under 13 are protected by the Children’s Online Privacy Protection Act (COPPA)</a). In the EU, GDPR emphasizes data minimization and privacy by design for minors.

Storing highly sensitive, personalized child data in a public database likely violates both regulations. The lack of authentication shows that proper data protections were not followed or enforced.

Codi Smart Toy: Who Makes It and Who Uses It?

Codi was developed by Pillar Learning, a U.S.-based educational technology startup. The toy is marketed as an “AI learning companion” that uses machine learning to personalize stories, music, and verbal interaction for each child. Parents connect through a mobile app and control its features remotely.

The primary users are young children aged 3 to 8. Codi’s friendly design and interactive voice features have driven its popularity in recent years. Still, the company appeared to prioritize rapid growth over sound security protocols. Even with increased AI integration, this oversight highlights a troubling failure to protect young users from digital exposure.

Expert Commentary and Ethical Concerns

Child privacy advocates and cybersecurity professionals have strongly condemned the exposure. Troy Hunt, the creator of Have I Been Pwned, stated, “When something stores voice data from kids and doesn’t authenticate its cloud connection, that’s not an oversight. That’s a systemic failure.”

The Mozilla Foundation shared similar views, saying in a post, “Young children should not be collateral damage in the pursuit of tech innovation. Devices like Codi must be built secure by default.”

Common Sense Media added that breaches like this enable long-term threats, including identity theft, AI impersonation, and digital surveillance. Kids today leave lasting digital trails. Without protection, this could impact them much later, including in advertising, education, and financial tools.

There is growing concern about other incidents as well. In a related case, AI-powered systems tied to chatbot interactions have even been connected to youth harm, as detailed in the chatbots linked to teen self-harm lawsuit.

Past Precedents: A Pattern of IoT Toy Breaches

This is far from the first case of vulnerable smart toys. These prior breaches paint a troubling picture:

  • My Friend Cayla (2017): Banned in Germany after it was found that the doll’s unsecured Bluetooth connection could be abused for surveillance.
  • CloudPets (2018): A MongoDB server leak exposed over 2 million voice messages and user passwords.
  • VTech (2015): A breach exposed 6.4 million children’s data, including private chats and photographs.

These cases reveal a broader pattern among toy manufacturers. Many prioritize quick market launches over secure development. Basic tests and safety checks are often bypassed during production cycles.

Regulatory Lens: Could COPPA or GDPR Be Enforced?

The Federal Trade Commission governs COPPA compliance in the United States. It mandates that developers of digital tools directed at children must collect verifiable consent, store data securely, and inform parents about the information collected.

Storing children’s voices and personal data in an open database likely fails multiple COPPA provisions. The FTC has taken action previously for less serious infractions, so legal consequences may follow.

In the European Union, GDPR enforcement could bring substantial fines. Toys that interact with EU children are subject to regulations that demand privacy safeguards at every step. Codi’s failure to protect data or limit access suggests serious non-compliance. This case may accelerate initiatives to improve how AI systems protect consumers across borders, similar to steps already seen when Meta signed the EU AI code.

Impact on the Smart Toy Industry

As AI toys become more advanced, industry leaders face growing pressure to enforce ethical design. The Codi exposure is a wake-up call. Industry-wide safety audits and requirements for basic cybersecurity hygiene are no longer optional. Manufacturers may soon be asked to certify their toys through third-party cybersecurity labs.

Some companies are taking steps toward responsible development. For example, Mattel recently introduced new AI toy features while promoting safer, more transparent tech practices. Their approach, outlined in the AI-powered toy innovation from Mattel, could be a model for others in the space.

What Parents and Users Should Know

  • Check whether the toy or app your child uses stores voice or personal data.
  • Look into the toy’s manufacturer for history of breaches or security criticisms.
  • Regularly adjust settings and review permissions in mobile companion apps.
  • Support clear privacy labels to help consumers understand exactly what data a product collects.

Parents often look to digital companions as safe and educational toy options. Still, compromises to privacy must be part of the decision-making process. Evaluating the device’s security setup is just as important as its interactive features.

Conclusion: A Wake-Up Call for Toy Tech Ethics

The breach in which an AI toy data leak exposes kids makes one thing very clear. Innovation and convenience are advancing rapidly, while privacy and safety protections remain stuck behind. Regulatory efforts alone will not be enough. Coordinated pressure from parents, lawmakers, and industry experts will be needed to improve transparency and enforce better design.

Children deserve high standards of protection. That must be built into every component of smart toys, starting from code and extending to vendor policies. Similar to how AI tools in education require privacy safeguards, toys must raise the bar as well.

FAQs

What is COPPA and how does it protect child privacy?

COPPA, the Children’s Online Privacy Protection Act, is a U.S. federal law that requires websites, apps, and connected devices directed at children under 13 to obtain verifiable parental consent before collecting personal information. It also requires companies to implement reasonable security safeguards and gives parents the right to review and delete their child’s data.

How can smart toys compromise children’s data?

Smart toys rely on cloud servers, wireless connectivity, microphones, and companion apps to function. If these systems lack strong encryption, secure authentication, or properly configured databases, sensitive information such as voice recordings and account credentials can be exposed through hacking or security failures.

What counts as personal information under child privacy laws?

Personal information includes a child’s name, address, email, phone number, geolocation data, voice recordings, photos, and persistent identifiers such as IP addresses or device IDs that can track a child across platforms.

Are voice recordings from smart toys protected under the law?

Yes, voice recordings are protected if they contain identifiable information. Companies must obtain parental consent before collecting them and must secure stored audio files against unauthorized access.

What happens if a company violates COPPA?

Companies that violate COPPA can face significant financial penalties, regulatory investigations, and mandatory compliance programs enforced by the Federal Trade Commission.

How does encryption protect children’s data?

Encryption secures data by converting it into coded form during transmission and storage. This prevents unauthorized parties from reading sensitive information even if systems are breached.

Are companies allowed to use children’s data to train AI models?

Companies may only use children’s data for AI training if they obtain explicit parental consent and clearly disclose how the data will be processed and stored.

What should parents do if a smart toy experiences a data breach?

Parents should immediately change passwords, enable two-factor authentication if available, monitor accounts for unusual activity, and request deletion of stored data from the company.

Are there privacy laws outside the United States that protect children?

Yes, many countries enforce child data protections. For example, European data protection regulations impose strict requirements on consent, transparency, and security when handling children’s information.

How can parents evaluate whether a smart toy is secure?

Parents can review privacy policies, verify encryption standards, check for regular software updates, limit unnecessary permissions, and purchase devices from manufacturers with established cybersecurity track records.

Why are connected toys a growing privacy concern?

Connected toys collect and transmit data continuously, increasing the number of potential entry points for cyberattacks. As AI capabilities expand, so does the volume of sensitive data collected, raising regulatory and ethical concerns.

Conclusion

The rise of AI-powered smart toys has intensified scrutiny around child data protection. Laws like COPPA establish critical safeguards, but enforcement and technological diligence remain essential. Smart toys rely on cloud connectivity and data processing, which introduce cybersecurity vulnerabilities if not properly secured. As AI systems become more embedded in consumer products, legal compliance, encryption standards, and parental oversight will determine whether innovation aligns with child privacy protections.

Explore More from AI

  • What are smart cities? | Discover what smart cities are, how they use AI and IoT to optimize transportation, energy, water, and public safety. Explore examples, case studies, market data, and future trends.