tech

January 31, 2026

Web portal leaves kids' chats with AI toy open to anyone with Gmail account

Just about anyone with a Gmail account could access Bondu chat transcripts.

Web portal leaves kids' chats with AI toy open to anyone with Gmail account

TL;DR

  • Researchers found Bondu's web portal exposed over 50,000 chat transcripts and personal data of child users.
  • The data, including names, birth dates, and conversation details, was accessible by logging in with any Gmail account.
  • Bondu fixed the vulnerability within hours of being notified.
  • The company stated there was no evidence of access beyond the researchers.
  • The incident raises broader concerns about data privacy and security in AI-enabled children's toys.
  • Bondu reportedly uses third-party AI services like Google's Gemini and OpenAI's GPT-5 for responses.
  • Researchers suspect the unsecured console may have been 'vibe-coded' using generative AI tools, leading to security flaws.

Continue reading the original article