Sphero’s Million-User Data Exposed on Web Forum

Hong Kong-based company Sphero has encountered a substantial data breach, compromising the personal information of over a million educators and students.

According to the antivirus review service SafetyDetectives, sensitive data, presumably belonging to Sphero users, was pilfered and subsequently released online. However, the Privacy Commissioner for Personal Data (PCPD) asserted that no official notifications of the incident had been received from the company.

Screenshot of the hacker’s forum post exposing Sphero data | Image Credit: safetydetectives

SafetyDetectives analysts surmise that a hacker identified and exploited several vulnerabilities within Sphero’s security framework, enabling the theft of confidential data. The forum post does not specify the number of affected users or the volume of files stored in the database. Yet, a forum participant reported the database encompasses 1,001,393 data entries.

On the darknet, among other details, the following user data has been disclosed:

• Account ID numbers
• Usernames
• First and last names of users
• Emails and guardian emails (for minors)
• Birthdays
• Membership history
• Avatars (profile photo URL)
• Job roles, titles, and bios
• Origins and locations of users
• Registration channels
• Archiving status and history
• API keys for Sphero’s internal LittleBits Community
• Other profile data, such as privacy policy confirmation and points

The PCPD has indicated they will liaise with Sphero to determine if the company conducts operations in Hong Kong and whether the data of Hong Kong users is implicated.

SafetyDetectives cautions that the leaked information could be harnessed for subsequent fraud or identity impersonation. The SafetyDetectives team reached out to Sphero, providing a link to the data leak (potentially for verification of the leak’s authenticity), and awaits the company’s response.