Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
bondu

bondu Vendor Cyber Rating & Cyber Score

bondu.com

AI enabled conversational companions for kids. Thoughtfully designed in to inspire their creativity, curiosity and confidence.


bondu A.I CyberSecurity Scoring

bondu
Company Information
Website:https://www.bondu.com
Employees number:8
Number of followers:2,465
NAICS:513
Industry Type:Technology, Information and Internet
Homepage:bondu.com
bondu Risk Score (AI oriented)
Between 650 and 699
logo
bonduTechnology, Information and Internet
Updated:
28/03/2026
677/1000
Weak
B
AaaAaABaaBaBCaaCaC
Powered by our proprietary A.I cyber incident model
Insurance prefers TPRM score to calculate premium
bondu Global Score (TPRM)
xxxx
logo
bonduTechnology, Information and Internet
•••
Score locked
Instant access to detailed risk factors
Vulnerabilities
Benchmark vs. industry & size peers
Findings

bondu
bonduWeak
Current Score
677B (WEAK)
01000
2 incidents
-46.5 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
682Before Incident
JUNE 2026
681Before Incident
MAY 2026
679Before Incident
APRIL 2026
679Before Incident
MARCH 2026
676Before Incident
FEBRUARY 2026
675Before Incident
JANUARY 2026
679Before Incident
Vulnerability
29 Jan 2026bondu
Bondu, OpenAI and Google: Security Researcher Finds Exposed Admin Panel for AI Toy

AI Toy’s Exposed Admin Panel Risked Children’s Personal Data and Conversations

674After Incident
CRITICAL-5
OPETHEGOO1769726523
AI Toy’s Exposed Admin Panel Risked Children’s Personal Data and Conversations Security researchers Joseph Thacker and Joel Margolis uncovered a critical security flaw in the Bondu AI toy, exposing an unsecured admin panel that could have leaked sensitive data from tens of thousands of child users. While investigating the toy for a neighbor, Margolis discovered an exposed domain (console.bondu.com) in the mobile app’s backend, which led to a "Login with Google" button intended for parents but granting unrestricted access to Bondu’s core admin dashboard. Once inside, the researchers found full access to children’s conversation transcripts, personal details, and device data, including: - Child’s name, birth date, and family member names - Likes, dislikes, and parent-defined objectives - Toy’s given name and past interactions (used for AI context) - Device location (via IP), battery status, and firmware controls The toy’s AI, powered by OpenAI GPT-5 and Google Gemini, used this data to tailor responses, though the researchers noted the collection was technically disclosed in Bondu’s privacy policy unlikely to be read by most users. Beyond the authentication bypass, they also identified an Insecure Direct Object Reference (IDOR) vulnerability, allowing retrieval of any child’s profile by guessing their ID. The flaw was accessible to anyone with a Google account, though the researchers limited their access to validation only. After responsibly disclosing the issue to Bondu’s CEO via LinkedIn, the company took down the console within 10 minutes and launched an investigation. Logs confirmed no unauthorized access beyond the researchers’ testing, averting a potential data breach. Bondu also initiated a bug bounty program and collaborated with the researchers to address additional risks. Despite the swift response, Thacker expressed concerns about AI toys, stating the incident shifted his stance on their safety. He highlighted risks of uncontrolled AI access in homes, noting that even well-intentioned designs could introduce vulnerabilities. Bondu’s website previously emphasized its 18-month beta testing with no reported safety issues, but the incident underscores the broader challenges of securing AI-driven children’s products.
INCIDENT DETAILS -
TYPE
Data Exposure
IMPACT
Data Compromised: Children’s conversation transcripts, personal details (name, birth date, family member names), likes/dislikes, parent-defined objectives, toy’s given name, past interactions, device location (via IP), battery status, firmware controlsSystems Affected: Bondu AI toy admin panel, mobile app backendOperational Impact: Admin panel taken down within 10 minutes of disclosureBrand Reputation Impact: Potential reputational damage due to exposure of children’s sensitive dataIdentity Theft Risk: High (children’s personal data exposed)
DATA BREACH
Type Of Data Compromised: Children’s personal data, conversation transcripts, device dataSensitivity Of Data: High (children’s personally identifiable information)Data Exfiltration: No confirmed exfiltration beyond researchers' validationPersonally Identifiable Information: Child’s name, birth date, family member names, device location (via IP)
DECEMBER 2025
764Before Incident
Breach
01 Dec 2025bondu
bondu and Miko: AI Toy Maker Reportedly Exposed Thousands Of Responses To Children

AI Toy Manufacturer Miko Exposed Thousands of Child Conversations in Unsecured Database

676After Incident
CRITICAL-88
THEMIK1770935689
AI Toy Manufacturer Miko Exposed Thousands of Child Conversations in Unsecured Database U.S. Senators Marsha Blackburn (R-Tenn.) and Richard Blumenthal (D-Conn.) revealed this week that AI-powered toy maker Miko left thousands of children’s interactions with its devices exposed in an unsecured, publicly accessible database. In a letter sent Wednesday, the senators stated that the database contained Miko’s side of conversations with children, including names and details of their interactions raising significant privacy and security concerns. The exposure was discovered using publicly available tools to analyze the toy’s Wi-Fi communications. While Miko CEO Sneh Vaswani denied any data breach, stating the company does not store children’s voice recordings, NBC News confirmed the database was accessible and contained thousands of daily responses from Miko toys dating back to December 2025. Though children’s voices were not directly recorded, the toy’s replies allowed observers to reconstruct conversations. The database was secured after Miko was notified. This incident follows previous reports of AI toys engaging in inappropriate behavior, including explicit sexual conversations, dangerous advice, and politically aligned responses. The senators have also sent inquiries to other AI toy manufacturers, such as Curio and FoloToy, regarding their data security practices. Meanwhile, another company, bondu, is under scrutiny for exposing children’s chat transcripts through a publicly accessible portal.
INCIDENT DETAILS -
TYPE
Data Exposure
IMPACT
Data Compromised: Thousands of children’s interactions, including names and conversation detailsSystems Affected: Miko’s database storing toy interactionsBrand Reputation Impact: SignificantLegal Liabilities: PotentialIdentity Theft Risk: High (children’s personal information)
DATA BREACH
Type Of Data Compromised: Children’s conversation details, names, and interaction logsNumber Of Records Exposed: Thousands (daily responses dating back to December 2025)Sensitivity Of Data: High (children’s personal information)Personally Identifiable Information: Names and conversation details
NOVEMBER 2025
764Before Incident
OCTOBER 2025
764Before Incident
SEPTEMBER 2025
764Before Incident
AUGUST 2025
764Before Incident

Frequently Asked Questions

?
What is the current A.I Rankiteo Cyber Score for bondu ?
?
What was bondu's A.I Rankiteo Cyber Score in June 2026 ?
?
What was bondu's A.I Rankiteo Cyber Score in May 2026 ?
?
What was bondu's A.I Rankiteo Cyber Score in April 2026 ?
?
What was bondu's A.I Rankiteo Cyber Score in March 2026 ?
?
What was bondu's A.I Rankiteo Cyber Score in February 2026 ?
?
What was bondu's A.I Rankiteo Cyber Score in January 2026 ?
?
What was bondu's A.I Rankiteo Cyber Score in December 2025 ?
?
What was bondu's A.I Rankiteo Cyber Score in November 2025 ?
?
What was bondu's A.I Rankiteo Cyber Score in October 2025 ?
?
What was bondu's A.I Rankiteo Cyber Score in September 2025 ?
?
What was bondu's A.I Rankiteo Cyber Score in August 2025 ?
?
What is the average per-incident point impact on bondu's A.I Rankiteo Cyber Score over the past 12 months ?
?
Where can I access detailed records of all cyber incidents associated with bondu ?
?
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ?
?
Where can I view bondu's profile page on Rankiteo ?
?
How accurate is the A.I Rankiteo Risk Scoring methodology ?