Published on: October 17, 2023
A hacker allegedly stole and exposed the data of users from Sphero’s database, affecting an estimated 1 million educators and students.
SafetyDetectives’ cybersecurity team discovered a web forum post containing data that appears to have been stolen from Sphero, a programmable robot and educational tools manufacturer based in Hong Kong.
The hacker posted the database on a darknet forum on September 9, 2023. It was accompanied by the following text:
“Today, Sphero[,] the educational robot manufacturer, suffered a data breach. The data was stolen due to [a] security vulnerability that was present not only in the GraphQL API but also in various other parts of their system. Furthermore, we were able to [identify] multiple security flaws in Sphero’s infrastructure, which were exploited, allowing me to access sensitive information.”
Sphero creates STEM (science, technology, engineering, and mathematics) kits and robots for learning enhancement geared toward coding, science, music, and art. The company’s tools are reportedly used by over 40,000 educators worldwide.
The hacker supposedly found and exploited multiple vulnerabilities in Sphero’s security infrastructure, allowing them to steal sensitive data and personally identifiable information (PII). The forum post did not explicitly state the number of individuals affected or files stored in the database.
Our team only reviewed the sample shared in the post, so we could not directly verify the number of users affected. However, another forum member reported there to be 1,001,393 lines of code.
Based on the sample posted, it could be surmised that each line of code pertains to a unique user. If legitimate, the affected individuals likely include teachers and students using Sphero’s programs.
The sample data posted on the darknet forum included user information such as:
- Account ID numbers
- First and last names of users
- Emails and guardian emails (for minors)
- Membership history
- Avatars (profile photo URL)
- Job roles, titles, and bios
- Origins and locations of users
- Registration channels
- Archiving status and history
- API keys for Sphero’s internal LittleBits Community
In subsequent postings, the attacker added that more bugs were identified in the backend of Sphero’s systems. The security lapse enabled the hacker to conduct a massive account takeover.
An individual’s account details were exposed in the screenshot shared by the attacker. This suggests that the data purportedly stolen from Sphero were acquired by exploiting the mentioned vulnerability in the first post.
In line with its responsible disclosure principles, the SafetyDetectives team reached out to Sphero to report the potential breach and got in touch with an official representative. They requested to view the forum post, potentially to confirm the veracity of the leak. We shared the link to the post with Sphero and are awaiting further response.
Here is a summary of the alleged data breach:
|Where and when was the leak posted?||Web forum, on September 9, 2023|
|Number of affected users||An estimate of 1,000,000+|
Cyber criminals can potentially use the leaked sensitive data for fraud. They can capitalize on PIIs to attempt breaking into online accounts and email addresses. Similarly, malicious actors could launch phishing campaigns using educators’ or teachers’ information, posing as official school representatives to scam students’ parents into disclosing more private information.
The potential exposure of minors’ information may have more devastating impacts. It could expose children to a risk of identity theft problems which may last throughout their lives, such as when applying for colleges or job opportunities.
What Should You Do if You Think You’re Affected?
If you are an educator who uses Sphero and believes that your account is affected by the suspected breach, immediately contact your school to inform them of the situation. Coordinate with school management to notify your students’ parents about the potential impact on their children’s data. Then, take steps to secure your personal information, such as changing your email login credentials.
If you are a parent of a student under Sphero’s programs, it is recommended that you review your child’s and your own online accounts to spot suspicious activity. Should you observe anything unusual, immediately fortify your accounts and inform your child’s school and teachers.
What Are Clearweb Leaks and Why Should You Care?
Hackers use all corners of the internet to share information, organize cyberattacks, and talk about data breaches. Some of hackers’ preferred channels are clearweb forums. These are online networks that allow users to post information about breaches and leaks. They offer anonymity to their members and have features like paywalling for users who choose to require payment from those who wish to access their shared data.
Our cybersecurity researchers scour popular data breach forums on the clearweb to find the latest cyberattacks, leaks, and breaches.
By reporting on these incidents, we aim to proactively inform potentially affected parties earlier so that they can act quickly to protect their data. Our disclosures are rooted in meticulous research and are intended solely for informational and preventive purposes. They should not be interpreted as accusatory or indicative of negligence on the part of any entity.
SafetyDetectives.com is the world’s largest antivirus review website. The SafetyDetectives research lab is a pro bono service that aims to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.