This toy was just pulled from the shelves for leaking voice recordings of children

It’s soft and cuddly — and comes with a huge security risk.

Teddy bears from connected toy company CloudPets will no longer be sold at a number of stores due to privacy concerns.

Retailers including Walmart Amazon and eBay  will stop carrying CloudPets stuffed animals after the company exposed more than two million recorded messages from parents and children to potential hackers. The CloudPets toys come with an app that kids use to record and send messages through the toys. The company captures those recordings and shares them with third parties under certain circumstances, but follows the restrictions of the Children’s Online Privacy Protection Act, according to its privacy policy.

In a statement to MarketWatch, CloudPets acknowledged the invasion of privacy, but said user information was not compromised. Walmart and Amazon did not respond to requests for comment.

The leak of the recordings became public in 2017, but retailers removed the toys just this week after the Electronic Frontier Foundation, a privacy nonprofit based in San Francisco, wrote an open letter on May 28 imploring companies to stop selling the devices, asking them to “consider putting in place new or improved systems to ensure that products you stock, especially those that collect the information of children, have basic practices in place to respect the trust that consumers place in them.”

The decision to stop selling CloudPets toys comes as more companies are criticized for not properly protecting consumers’ personal data, especially that of users under the age of 18. More than 1 million children were victims of identity fraud in 2017, a new study from Javelin Strategy & Research found, costing a total of $2.6 billion.

The demand for toys and other devices that connect to the internet is on the rise, but lawmakers are not introducing consumer protections to keep pace with the new products, said Abhishek Iyer, technical marketing manager at Demisto, a Cupertino, Calif-based security company.

“Connected toys can be advantageous for child development, but mainstreaming of these devices must be prefaced by two things,” he said. “There should be clear and stringent regulation governing the security of these toys, and parents should be proactive in upholding the security of toys by regularly changing passwords, and installing patches and updates.”

Consumers should not buy toys from unknown companies, he said, and should thoroughly read the privacy policies of any company they purchase from. They also should turn off a toy when it isn’t in use, use strong passwords, and not turn on additional features like GPS if it isn’t necessary. Parents can also teach their children about privacy and security, telling them from a young age to never give away details like name, address, birthday, or social security number.

Major retailers dropping CloudPets is a landmark decision, marking one of the first times a toy has been removed from the shelves due to digital security concerns rather than just safety reasons, said Marcus Harris, a Chicago-based software attorney and cyber-security expert.

But some privacy advocates say data privacy concerns should be addressed before such toys arrive on store shelves. “So-called ‘smart’ toys are now becoming widely popular among kids, yet many of these toy companies have not taken the necessary steps to secure their databases and safeguard families’ privacy and safety,” Harris said. “As such, what happened with CloudPets will likely only continue to happen, and possibly with even worse results.”