A company that makes toys powered by artificial intelligence exposed snippets of thousands of conversations its toys had with children, according to Sens. Marsha Blackburn, R-Tenn., and Richard Blumenthal, D-Conn.
The claim was made in a new round of letters sent Wednesday to manufacturers of AI-powered children's toys. The senators, who expressed their concern in another set of letters in December, said that through their offices' own research they had been able to identify a significant new data exposure.
As part of their research over the past month, staff members from the senators' offices said that one manufacturer, Miko, had exposed "what appears to be all of the audio responses of the toy," in an unsecured, publicly accessible database, according to the letter sent to Miko on Wednesday.
According to the senators, this allows anyone the ability to download Miko's side of thousands -- if not tens of thousands -- of discussions with children. Audio files often appeared to contain children's names along with details about the children's conversations with Miko.
"This basic cybersecurity lapse, and the toys' frequent communications back to Miko, Inc., call into question whether your company adequately protects the privacy and security of children's and the toy's data," they wrote
The exposed database, which was viewed by NBC News, appeared to contain thousands of Miko toys' daily responses to children's questions or instructions going back to December 2025.
In response to a request for comment, Miko CEO and founder Sneh Vaswani wrote in a statement: "There has been no breach or leak of user data. Miko does not store children's voice recordings, and no children's voices or personal information are publicly accessible. No customer data has at any point been compromised by Miko."
"We have carefully reviewed the letter and will be providing a detailed response to the senators," Vaswani wrote, referring to the letter from the Senators.
The staff of Sens. Blackburn and Blumenthal said they identified the exposure by using free, publicly available tools to examine the communications a Miko toy sent over a Wi-Fi network.
According to the senators' offices, staff members identified the audio files through a very simple analysis of the web server that was communicating with the Miko toy. According to the offices, it was clear the audio files seemed to be the toys' responses to users.
When viewed by NBC News, the main index page for the database contained folders labeled "GOOGLE" and "AZURE," likely referring to the Microsoft Azure cloud computing service. These folders contained numerous subfolders labelled with different languages or dialects, like 'en-US' for American English or 'da-DK' for Danish.
Audio files in each language were organized by specific dates within these sub-folders. The "AZURE" folder contained 19 dialects or language folders, while the "GOOGLE" folder contained nine dialects or language folders.
In a 2024 blog post about Miko's use of Google Cloud and its Gemini AI models, Vaswani said: "Every large tech organization has guardrails to protect the privacy of their customers, and for us, those guardrails need to be five times stricter."
"Our goal is to ensure Miko Robots provide safe, reliable, and culturally appropriate interactions for children worldwide," Vaswani said at the time.
Miranda Bogen, director of the Center for Democracy and Technology's AI Governance Lab, said: "Setting aside the very real concerns presented by kids' toys that are powered by unpredictable AI systems that too often have flimsy guardrails, failing to secure people's interactions with AI systems would reflect a cavalier disregard for both privacy and security."
While voice recordings of the children's portion of the conversation did not appear in the database, NBC News was able to follow several conversations based solely on the replies in the Miko database. For example, the Miko database contained several audio files added to the database within minutes of each other that all used a unique name, allowing listeners to track what the named individual was asking about, how they were feeling, or what music they wanted to listen to.
The audio recordings also appeared to allow outsiders to learn when an individual started using a toy and when they turned the toy off, based on the toys' greeting and farewell messages.
"The database of Miko recordings is unsettling," said R.J. Cross, a campaign director at the U.S. Public Interest Research Group who led prior research efforts on risks from AI toys. "When a company can't get basic encryption right, parents have every right to ask: what else did they get wrong? It raises questions about whether this company -- or any AI toy company -- making a similar mistake should be trusted with children's products."
In December, NBC News found that several AI toys engaged in explicit sexual conversation topics, advised users on how to locate dangerous objects at home and shared geopolitical sentiments aligned with Chinese Communist Party talking points.
The senators' offices informed Miko of the exposure Wednesday. By late Wednesday afternoon, the database was no longer publicly accessible.
The senators' letter to Miko asks, among other questions, why the company failed to protect audio responses to the children's discussions, which third-party companies Miko shares data with, how it uses data collected about users' "emotional states," and how it guarantees that children's data is permanently deleted upon request by parents.
Blackburn and Blumenthal also sent letters to Curio and FoloToy, makers of other popular AI toys, requesting more information about the companies' commitments and practices to keep children's data secure. A previous version of the FoloToy Kumma bear discussed sexual topics and provided users advice on how to light matches before the company implemented stricter guardrails.
Among other topics, the senators' letter to FoloToy inquires if the company has ever shared or made user data available to the Chinese government, while the letter to Curio asks what specific parental control mechanisms are built into Curio toys.
In a statement, a Curio spokesperson said: "We take the concerns raised by policymakers very seriously. We are actively engaging with Senators Blackburn and Blumenthal."
"We recognize that applying AI in experiences designed for children carries a heightened responsibility, which is why our toys are built around parental permission, transparency, and control," according to the statement. "Curio remains committed to constructive dialogue and to fully complying with all applicable laws and regulatory requirements."