Sphero 2023 Data Breach

Sphero Educational Robotics Company Breach (2023): 832K User Records Including DOB & Location Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Unknown (GraphQL API exploit)EducationChildrenDate of BirthEmail AddressFull NameGeographic LocationUsername
Moderate SeverityWebsite / service breach

Sphero Educational Robotics Company Breach (2023): 832K User Records Including DOB & Location Exposed

Educational robotics company.

Verified by ObscureIQ Intelligence
54/100Breach Risk Index
40Data Value
10Market Recency
920dSince Breach

Breach Intelligence Summary

Entity: Sphero · Actor: Unknown (GraphQL API exploit) · Sources: 4 references
Attack: Unknown
Profile: Company · Robotics and educational technology · Consumer and STEM products provider · USA
Timeline: Breach (2023-09-09) · Indexed (Oct 20, 2023) · Year (2023)
Exposure: 832K records · 5 fields: Date of Birth, Email Address, Full Name, Geographic Location, Username
Status: Confirmed

Executive Summary

Sphero, a U.S.-based educational robotics company that produces programmable robots and STEM kits used in schools, suffered a data breach disclosed in September 2023. A hacker exploited security vulnerabilities including a flaw in the company's GraphQL API to extract more than one million rows of user data, which was subsequently posted on a hacking forum. The breach was first publicly reported by SafetyDetectives in October 2023.\n\nThe dataset contained approximately 832,000 unique email addresses paired with names, usernames, dates of birth, and geographic locations. Affected users include educators and students across schools that used Sphero programs, with student data accounting for a significant share of the records. Sphero declined to comment publicly on the incident when contacted by researchers and journalists, and reporting from Hong Kong indicated that the territory's Office of the Privacy Commissioner for Personal Data had not been notified.\n\nFor affected individuals, the practical risk is concentrated in identity-fraud and phishing scenarios with a school-themed pretext. The combination of name, date of birth, and geographic location is a strong base for credential-stuffing attacks against student or teacher accounts on other education platforms, and for impersonation messages purporting to be from a school or vendor. Because student data is involved, the exposure has unusually long downstream relevance, since identity fraud built on a child's date of birth can remain invisible until the affected individual reaches adulthood and applies for credit, college, or employment. Parents of students who used Sphero products should monitor for unusual account activity and treat any unsolicited contact referencing the child's school or coding activities with caution.

ObscureIQ assessment: Exposure enables phishing, order fraud, and school-themed impersonation. Where student or educator data is involved, the privacy and targeting risks are higher.

Breach Impact

The institutional impact on Sphero from the 2023 incident is unusual because the company's silence dominated the response. There has been no public regulatory action, settlement, or large-scale customer notification campaign associated with the breach. The reputational cost has been measurable but diffuse, given Sphero's institutional customer base of schools and education resellers, where data-handling practices can become a procurement filter. The exposure of student dates of birth and geographic locations carries unusually high downstream risk for minors, since identity-fraud risk on a child's profile can persist undetected until adulthood. Privacy regulators in jurisdictions where Sphero operates have not announced public action.

About Sphero

Sphero is a U.S.-based educational technology company headquartered in Boulder, Colorado, with operations including a Hong Kong office. The company designs and sells programmable robots and STEM education kits used in schools, classrooms, and home learning environments. Its flagship product line includes ball-shaped robots controlled through programming apps, alongside coding kits and curriculum materials. Sphero's customer base is heavily institutional, with schools and educators making up the bulk of deployments, while individual user accounts are held by both teachers and students learning to code. The company maintains the centralized account and learning-progress systems typical of an education-software platform.

Why They Hold Your Data

Educational technology providers collect customer accounts, order data, device registrations, classroom usage information, and in some cases student or educator-linked activity tied to robotics and STEM products.

Recent Developments

Sphero has continued to operate as an educational robotics company in the years since the 2023 incident. The company never publicly commented on the breach despite being approached by researchers and journalists, and Hong Kong's Office of the Privacy Commissioner for Personal Data was not notified at the time. The 2023 dataset was indexed by Have I Been Pwned and added to public breach-tracking services in October 2023. Sphero has not been publicly tied to a further breach disclosure since then. The broader educational technology sector has continued to draw scrutiny over data-handling practices for student accounts.

Data Points Exposed

5 verified field types
Date of Birth High
Email Address
Full Name High
Geographic Location
Username

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • Identity verification bypass using name + date of birth combination
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
Threat vectors:
  • Identity verification bypass
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Pattern-of-life analysis & physical surveillance
  • Cross-platform tracking & credential stuffing

Threat Actor: Unknown (GraphQL API exploit)

Unknown (GraphQL API exploit)
Unknown

Attribution and method are based on available breach intelligence. Reported attack vector: Unknown.

Recommended Actions

If you believe your information may be included:

Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Sphero breach?

Sphero, a U.S.-based educational robotics company that produces programmable robots and STEM kits used in schools, suffered a data breach disclosed in September 2023. A hacker exploited security vulnerabilities including a flaw in the company's GraphQL API to extract more than one million rows of…

What data was exposed?

Verified fields include Date of Birth, Email Address, Full Name, Geographic Location, Username.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
BreachForums_Official_Index
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation