According to Sens, a business that develops AI-powered toys revealed excerpts of thousands of chats its devices had with kids. Marsha Blackburn, Republican of Tennessee, and Richard Blumenthal, Democrat of Connecticut.
The accusation was made in a new wave of letters delivered on Wednesday to manufacturers of AI-powered children’s toys. The senators, who highlighted their concerns in another pair of letters in December, stated that their offices’ own research had shown a major new data exposure.
Staff members from the senators’ offices indicated that as part of their research over the previous month, one manufacturer, Miko, had revealed “what appears to be all of the audio responses of the toy,” in an unprotected, publicly available database, according to the letter written to Miko on Wednesday.
According to the senators, this enables anyone to obtain Miko’s perspective on thousands, if not tens of thousands, of interactions with children. Audio files frequently contained children’s names as well as information about their discussions with Miko.
“The toys’ frequent communications back to Miko, Inc. and this basic cybersecurity lapse raise concerns about whether your company appropriately protects the privacy and security of children’s and the toy’s data,” they said.
NBC News was able to see the exposed database, which seemed to include thousands of Miko toys’ daily answers to queries or instructions from December 2025 onward.
Sneh Vaswani, the founder and CEO of Miko, responded to a request for comment by writing in a statement: “There has been no breach or disclosure of customer data. Children’s voice recordings are not stored by Miko, and neither their personal information nor their voices are available to the general public. Miko has never before violated any customer data.
Referring to the senators’ letter, Vaswani wrote, “We have carefully reviewed the letter and will be providing a detailed response to the senators.”
Sens’ staff. According to Blackburn and Blumenthal, they discovered the vulnerability by utilizing free, publicly available tools to examine information sent by a Miko toy over a Wi-Fi network.
According to the senators’ offices, staff members located the audio files by performing a simple analysis of the web server that spoke with the Miko toy. According to the offices, it was evident that the audio files represented the toys’ answers to users.
The files marked “GOOGLE” and “AZURE,” which most likely referred to the Microsoft Azure cloud computing service, were visible on the database’s main index page. These files had a large number of subfolders labeled with various languages or dialects, such as “da-DK” for Danish or “en-US” for American English.
Within these sub-folders, audio tracks in each language were arranged according to particular dates. Nine dialects or language folders were found in the “GOOGLE” folder, compared to 19 in the “AZURE” folder.
“Every large tech organization has guardrails to protect the privacy of their customers, and for us, those guardrails need to be five times stricter,” Vaswani stated in a 2024 blog post regarding Miko’s use of Google Cloud and its Gemini AI models.
At the time, Vaswani stated, “We want to make sure Miko Robots offer safe, dependable, and culturally relevant interactions for kids all over the world.”
“Putting aside the very serious risks presented by kids’ toys that are powered by unpredictable AI systems that all too often have weak guardrails, failing to secure people’s interactions with AI systems would reflect a cavalier disregard for both privacy and security,” stated Miranda Bogen, director of the Center for Democracy and Technology’s AI Governance Lab.
Even though the database did not have voice recordings of the children’s portion of the chat, NBC News was able to follow a number of conversations using only the Miko database’s replies. For instance, the Miko database included multiple audio files that were updated within minutes of one another and each had a unique name. This allowed listeners to keep track of the questions the identified person was asking, their emotional state, or the music they wished to listen to.
Based on the greeting and farewell messages on the toys, the audio recordings also seemed to let outsiders know when a person began using a toy and when they switched it off.
R.J. Cross, a campaign director of the U.S. Public Interest Research Group who oversaw earlier studies on the dangers of AI toys, described the Miko recording database as “unsettling.” Parents have every right to wonder what else went wrong when a corporation fails to grasp the fundamentals of encryption. It calls into question whether this company, or any other AI toy company, should be trusted with children’s toys after making a similar error.
In December, NBC News discovered that a number of AI toys held geopolitical views in line with Chinese Communist Party talking points, participated in explicit sexual conversation subjects, and gave users advice on where to find unsafe items in the house.
Miko was notified Wednesday of the disclosure by the senators’ offices. By Wednesday afternoon, the database was no longer available to the general public.
The senators’ letter to Miko includes inquiries about the company’s failure to secure audio responses to the kids’ conversations, which third-party businesses Miko shares data with, how it uses information gathered about users’ “emotional states,” and how it ensures that the data of kids is permanently erased upon parental request.
Additionally, Blackburn and Blumenthal wrote to Curio and FoloToy, the manufacturers of other well-known AI toys, asking for further details regarding their policies and commitments to protecting children’s data. Before the business put further restrictions in place, a prior iteration of the FoloToy Kumma bear talked about sexual matters and gave users tips on how to light matches.
Among other things, the senators’ letter to FoloToy asks whether the company has ever given the Chinese government access to user data, and the letter to Curio asks what particular parental control features are included in Curio toys.
A Curio representative said in a statement: “We take the concerns expressed by policymakers very seriously. With Senators Blumenthal and Blackburn, we are actively interacting.
“Our toys are built around parental permission, transparency, and control because we understand that applying AI in experiences designed for children carries a heightened responsibility,” the statement reads. Curio is still dedicated to having productive conversations and to abiding by all relevant legal and regulatory obligations.
