(Bloomberg View) – How dangerous is a teddy bear or a doll?In the Internet of Things era, it's not an idlequestion but one for parents and regulators to ponderseriously.

On Monday, Troy Hunt, thecybersecurity expert who maintains the “Have Ibeen pwned?” database of major breaches affecting the clientsof internet businesses, revealed a problem with CloudPets, a series of cuddly toys made by a U.S. companycalled Spiral Toys. The toys allow parents to talk with theirkids remotely. The conversations were recorded and stored— along with users' encrypted passwords — on anunprotected server that belonged to a Romanian company calledmReady. The passwords were easy to break.

Related: 2016's most dangerous toys

Hunt listened to some of the messages — sweet nothings kidswant to say to their parents. Any malicious actor could havefigured out how to communicate with the kids. Apparently, theexposed database was located numerous times using a searchengine that finds connected devices, and attempts were made tohold Spiral Toys for ransom.

It was useless: According to a quarterly report it filed in thesummer of 2016, the tiny, loss-making company had stopped makingtoys. Which, of course, hardly solves the problem for the parentswho still have CloudPets in their homes.

Exposing kids to cyber risks

This is not the first time connected toys have been found toexpose kids in this way. Cayla, the doll made by Genesis Toys, allowed strangers (alsoapparently advertisers) to speak directly to children.

Another Genesis toy called i-Que co-starred with Caylain a complaint to the Federal Trade Commission in the U.S. whilea German regulator, the Federal Network Agency, thismonth banned Cayla outright, saying it was essentially aspying device. The regulator also said it was testing otherconnected toys.

A doll made a much bigger company, Mattel has put out alengthy list of frequently asked questions designed to convinceparents that its web-connected HelloBarbie is safe. In 2015, security researcher MattJakubowski claimed to have hacked it, getting access to sound filesand location data.

Most parents understand what's wrong with letting their kids usesocial networks and have their locations and activities tracked.Instinctively, many won't even post their kids' pictures online— and that's probably wise because their own activity is beingtracked and bad actors can get access to the data. But VTech, thecompany that makes the Kidzoom DX — a kind of children'ssmartwatch that was popular during the last holiday season— had been hacked in 2015, providing data on hundreds ofthousands of kids who had used the firm's toy laptops.

Bullying, extortion, kidnapping

The opportunities for bullying, extortion, even kidnapping usingthe connected toys are endless. But adults' information is also atrisk from them: The toys can be conduits into home networks. A caseis even known in which an internet-connected toy robot wasused to take a picture of someone's apartment keys.

Related: 10 things to do to keep hackers out of yourhome

Of course, every internet-connected object — a thermostat,a home lighting system, a car — can be unsafe. But adults aresupposed to be qualified risk-takers, and yet they exposetheir children at an increasing rate. In late 2015, Juniper Research estimated the size of thesmart toy market that year at $2.8 billion and predicted it wouldtop $11 billion in 2020.

Millennial parents are connected toy makers' biggest hope: Theyallow their kids more screen time than previous generations ofmoms, and they generally trust technology, and technologycompanies, far more than analog-age people evercould. According to BSM Media, a companythat specializes in marketing to mothers, 38 percent of moms buytheir kids connected toys because they “look educational.”

Like most of the data we voluntarily donate to internetcompanies, our kids' data probably won't be used for an evilpurpose. But one breach is enough to change that, and to plunge afamily into hell. If parents don't realize that, it can only fallto regulators to make sure kids are protected.

This column does not necessarily reflect the opinion of theeditorial board or Bloomberg LP and its owners.

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.