Teddy bears used to be full of stuffing. Now, they’re packed with smart technology.

Almost all toys can be Internet-connected today, meaning they can be hacked.

Last month, Motherboard reported a company that sold Internet-connected stuffed animals left more than 800,000 customer credentials and two million message recordings of children and parents on a exposed database. None of the data was behind a password or firewall. Additionally, a security researcher said anyone within range of a CloudPet could pair with the Bluetooth connection, making it possible to send and receive audio messages. That means strangers could make a child’s toy say anything.

How is this happening? Kevin Haley, director of security response with Norton, said companies who aren’t familiar with Internet security are making smart toys now because of sheer demand.

“These toys are coming out fast and furious,” Haley said. “Until we have a good sense of regulation … we are going to have to do a little work to make sure we are protecting ourselves.”

Before buying a smart toy, Lynette Owens, founder and global director of Internet Safety for Kids and Families, said parents should research what data the device collects, how it’s being stored, who has access to it and if there is an option to opt out. This information usually isn’t found on the box. So, a look at reviews, websites and news about the product is often necessary. Buyers might even want to contact the company directly.

Internet-connected toys aren’t bad, Owens said.  “There is a lot of upside to having toys that have this ability to be more robust and educational than building blocks.” (Think a globe that updates population numbers in real time.)

There simply aren’t regulations around security. So, the data that’s being transmitted is important.

“The more of your personal life that gets fed to these devices, the higher your risk,” Haley said.

Parents should think twice before recording names, birthdays, relatives’ information, pictures and voices, he said.

Passwords including mixed case, letters and numbers can help, but are primarily put in place for the user (passwords don’t change the fact information will still be transmitted to the manufacturer). Norton recommends changing passwords every three months.

Owens said knowing potential risks is important for parents and children. She recommends talking to children about security as soon as they are using Internet-connected devices or toys.

“Once you are on the Internet, you should assume nothing is really private,” Owens said.

Follow Ashley May on Twitter: @AshleyMayTweets