Parents, please think twice about letting your children play with talking toys that connect to the Internet. While kids may love have conversations with special stuffed friend, there’s a big risk that strangers online can listen in on what they say.
The latest cautionary tale comes from CloudPets, a company that makes cute bears and dogs that can pass voice messages between kids and their parents. As the company’s marketing video for the toy shows, a dad on a business trip can use the CloudPets app to say “I miss you” through the stuffed toy—while his daughter can squeeze the toys arm to record a message that will be sent back to her dad.
Cute as this may be, such toys also pose a huge privacy risk because, like so much on the Internet, it’s easy for hackers to break into them. In the case of CloudPets, security researchers this week revealed that the company’s app relies on a Romanian company whose website contains huge security holes.
You can read all the technical details here on the blog of researcher Troy Hunt, but the gist of it is that a terrible security design makes it easy to steal all of CloudPets’ customer records—including the email addresses of parents—and to listen to recordings of what children have whispered to the toys. Hunt cites the example he heard of a little girl saying, “Hello Mommy and Daddy I love you so much,” and another of her singing.
Get Data Sheet, Fortune’s technology newsletter.
According to Hunt, researchers and a journalist repeatedly contacted CloudPets to warn it about the security blog flaw, but so far the company has done nothing about it. Fortune attempted to contact the company, but a message to the only email address on its website bounced back.
The CloudPets incident is only the latest in a troubling series of stories about Internet-connected toys and dolls. In December, for instance, privacy groups filed a complaint with the Federal Trade Commission about a doll called “My Friend Cayla.” The doll maker reportedly recorded children’s conversations and stored them on a server to use in product testing. Meanwhile, Cayla caused such alarm in Germany that the government there advised parents to destroy the doll.
Such security lapses are not surprising in part because the core competency of toy makers is making and marketing toys—not creating secure Internet services. That’s why, for now at least, parents who want to purchase talking dolls should stick to the old-school ones that come with strings in their backs.