Think twice before buying AI-enabled stuffed toys for kids. A serious AI toy security flaw recently exposed thousands of children’s private conversations online.

Security researchers Joseph Thacker and Joel Margolis found that Bondu left over 50,000 chat logs unprotected. The issue surfaced when Thacker’s neighbor asked him to check the toy’s safety.

They didn’t need special access to view the data. Anyone with a Gmail account could log into Bondu’s parent portal. This portal was meant for caregivers and staff—but it had no real security.

Once inside, they saw nearly every conversation between kids and their Bondu toys. The logs included full names, birth dates, siblings’ names, and parents’ names.

This poses real-world dangers. “It’s a kidnapper’s dream,” Margolis told Wired. He added that this data could help someone lure a child into danger—and it was open to anyone.

Bondu responded fast. After the report, they took down the portal within minutes. They relaunched it the next day with stronger login controls.

CEO Fateen Anam Rafid said they fixed the issue in hours. He also stated they found no sign that anyone besides the researchers accessed the data.

Still, the team worries about AI toys in general. Bondu only stored text—not audio—which it deleted quickly. But the researchers suspect the toys use Google’s Gemini or OpenAI’s GPT-5. If so, kids’ data might go to third-party AI companies.

Lawmakers are now stepping in. California Senator Steve Padilla recently proposed a four-year ban on interactive AI toys. This follows reports of ChatGPT giving harmful advice to teens, including promoting self-harm.

In short, this AI toy security flaw shows a growing risk. As toys get smarter, they may also become privacy threats. Parents should demand strong security, clear data policies, and minimal data collection before buying any AI-powered toy.

READ: Rogbid Fusion: A Smart Ring That Doubles as a Watch