Sphero – a Hong Kong manufacturer of programmable robots and educational tools – has suffered an apparent security breach exposing the personal data of a million educators and students.

sphero data leak
Sphero. Photo: Sphero.

On Monday, antivirus review website SafetyDetectives reported that sensitive data, appearing to belong to Sphero users, had been stolen and published online. However, the Office of the Privacy Commissioner for Personal Data (PCPD) told HKFP that it has not received any report from the firm.

When HKFP asked Sphero whether they had informed users of the breach, and why they failed to inform the authorities, a spokesperson on Thursday refused to comment.

Sphero creates kits and robots for coding, science, music, and art classes.

‘Multiple vulnerabilities’

“The hacker supposedly found and exploited multiple vulnerabilities in Sphero’s security infrastructure, allowing them to steal sensitive data and personally identifiable information,” the SafetyDetectives cybersecurity report said, referring to an online darknet post. “In subsequent postings, the attacker added that more bugs were identified in the backend of Sphero’s systems. The security lapse enabled the hacker to conduct a massive account takeover.”

PCPD Office of the Privacy Commissioner for Personal Data
The Office of the Privacy Commissioner for Personal Data. File photo: Peter Lee/HKFP.

The “darknet” refers to a version of the internet with restricted access, sometimes used for illegal activity owing to its privacy benefits. The darknet forum post included user information such as full names, emails, birthdays, profile photo URLs, job roles, location and bios.

The PCPD told HKFP on Thursday that they will contact Sphero “to ascertain if the company has any operation in Hong Kong and if any data subjects in Hong Kong are affected.”

The firm lists a Kwai Fong property as its international office, alongside a US warehouse.

SafetyDetectives warned that the leaked data could be used for scams or identity theft: “In line with its responsible disclosure principles, the SafetyDetectives team reached out to Sphero to report the potential breach and got in touch with an official representative. They requested to view the forum post, potentially to confirm the veracity of the leak. We shared the link to the post with Sphero and are awaiting further response.”

Support HKFP  |  Policies & Ethics  |  Error/typo?  |  Contact Us  |  Newsletter  | Transparency & Annual Report | Apps

Help safeguard press freedom & keep HKFP free for all readers by supporting our team

contribute to hkfp methods
hkfp flask store
YouTube video

Support press freedom & help us surpass 1,000 monthly Patrons: 100% independent, governed by an ethics code & not-for-profit.

Success! You're on the list.

Tom founded Hong Kong Free Press in 2015 and is the editor-in-chief. In addition to editing, he is responsible for managing the newsroom and company - including fundraising, recruitment and overseeing HKFP's web presence and ethical guidelines.

He has a BA in Communications and New Media from Leeds University and an MA in Journalism from the University of Hong Kong. He previously led an NGO advocating for domestic worker rights, and has contributed to the BBC, Deutsche Welle, Al-Jazeera and others.