The FBI released an advisory in July 2017 warning about the risks of connected toys. I have put the link to it here:
https://www.ic3.gov/media/2017/170717.aspx
From a newsletter I receive from Bitdefender also comes this advice:
"Vulnerable internet-connected devices are an open invitation for predators to get inside your home. In an instant, an outsider could access your child’s name, date of birth, hobbies, school activities, likes and dislikes and, in some cases, even private photos and physical address. So it’s not only that private information is leaked, but it could lead to identity fraud and, in some cases, physical safety may also be at risk.
So far, action has been taken against Cayla the talking doll, CloudPets – the teddy bear that leaked two million voice recordings, and a number of hacked baby monitors, among others.
In light of increased hacking activity, the Federal Trade Commission announced privacy rules also apply to IoT toys, in compliance with The Children’s Online Privacy Protection Act (COPPA). Additionally, any company failing to comply or rush to market devices with weak security will be in violation of Section 5(a) of the FTC Act.
Parents can take measures to protect their children and homes from cyber spies. First of all, ensure the internet connection is safe and encrypted, avoid using public networks. If it’s really necessary to connect to a public network, don’t allow the toy to transmit any data over the network and keep a close eye on your children’s activity. Above all, double check for firmware or software updates, implement the latest security patches and use strong passwords.
Never make the mistake of purchasing a gadget simply because it’s hip. Carefully read what you’re agreeing to and thoroughly research the company and the product."