Hong Kong tech firm Sphero suffers massive, alleged data theft – details of a million students, educators leaked
Hong Kong Free Press
Sphero – a Hong Kong manufacturer of programmable robots and educational tools – has suffered an apparent security breach exposing the personal data of a million educators and students.
On Monday, antivirus review website SafetyDetectives reported that sensitive data, appearing to belong to Sphero users, had been stolen and published online. However, the Office of the Privacy Commissioner for Personal Data (PCPD) told HKFP that it has not received any report from the firm.
When HKFP asked Sphero whether they had informed users of the breach, and why they failed to inform the authorities, a spokesperson on Thursday refused to comment.
Sphero creates kits and robots for coding, science, music, and art classes.
‘Multiple vulnerabilities’
“The hacker supposedly found and exploited multiple vulnerabilities in Sphero’s security infrastructure, allowing them to steal sensitive data and personally identifiable information,” the SafetyDetectives cybersecurity report said, referring to an online darknet post. “In subsequent postings, the attacker added that more bugs were identified in the backend of Sphero’s systems. The security lapse enabled the hacker to conduct a massive account takeover.”
The “darknet” refers to a version of the internet with restricted access, sometimes used for illegal activity owing to its privacy benefits. The darknet forum post included user information such as full names, emails, birthdays, profile photo URLs, job roles, location and bios.
The PCPD told HKFP on Thursday that they will contact Sphero “to ascertain if the company has any operation in Hong Kong and if any data subjects in Hong Kong are affected.”
The firm lists a Kwai Fong property as its international office, alongside a US warehouse.
SafetyDetectives warned that the leaked data could be used for scams or identity theft: “In line with its responsible disclosure principles, the SafetyDetectives team reached out to Sphero to report the potential breach and got in touch with an official representative. They requested to view the forum post, potentially to confirm the veracity of the leak. We shared the link to the post with Sphero and are awaiting further response.”
Support HKFP | Policies & Ethics | Error/typo? | Contact Us | Newsletter | Transparency & Annual Report | Apps
Help safeguard press freedom & keep HKFP free for all readers by supporting our team
HKFP has an impartial stance, transparent funding, and balanced coverage guided by an Ethics Code and Corrections Policy.
Support press freedom & help us surpass 1,000 monthly Patrons: 100% independent, governed by an ethics code & not-for-profit.
HKFP Dim Sum is a weekly email summary of our best content sent every Saturday and Monday. Unsubscribe at any time. We will not share your details with third parties.