It said tests had revealed "worrying security failures" with the Furby Connect, I-Que Intelligent Robot and other toys sold on high streets and online.
Which? said it had now written to retailers asking them to stop selling toys "with proven security issues".
The toys rely on Bluetooth connections to enable some of their features, including using a toy's voice to replay anything typed into a text box, but these were found to have been misconfigured and as a outcome could be easily hacked.
They also found the Bluetooth on Toy-fi Teddy lacks any authentication protections, meaning hackers could send their voice messages to a child and receive answers back.
Which? found that there was no authentication required between the toys and the devices they could link with via Bluetooth.
"In each of the toys, the Bluetooth connection had not been secured, meaning during the tests the hacker didn't need a password, PIN code or any other authentication to get access", the report read. It does not use any security features when pairing.
Experts discovered that anyone can download the app, find an i-Que within Bluetooth range and start chatting using the robot's voice by typing into a text field. The toy is made by Genesis, which also manufactures the My Friend Cayla doll, recently banned in Germany owing to security and hacking concerns.
These steps included redesigning the toy's firmware and then uploading it within Bluetooth range.
"Sadly, there have been many examples in the past two to three years of connected toys that have security flaws that put children at risk", he said. "Our security experts were able to upload and play a custom audio file on the Furby", the report said.
CloudPets, available from Amazon, come as a stuffed animal and enable friends to send messages to a child, played back on a built-in speaker. But Which? found the toy could be hacked via its unsecured Bluetooth connection.
Toy-fi Teddy allows a child to send and receive personal recorded messages over Bluetooth via a smartphone or tablet app.
The lack of authentication meant that, in theory, any device within physical range could link to the toy and take control or send messages, the watchdog said.
"Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution", said Alex Neill, managing director of home products and services. "If that can't be guaranteed, then the products should not be sold".
I-Que maker Vivid Imagination said there had been "no reports of these products being used in a malicious way" but added that it would review Which?'s recommendations. It said: "While it may be technically possible for someone other than the intended user to connect to the toys, it requires certain sequence of events to happen in order to pair a Bluetooth device to the toy, all of which make it hard for the third party to remotely connect to the toy".
The I-Que Intelligent Robot (left) has previously featured on Hamleys top toys Christmas list.
The products include the Furby Connect, which was ranked as one of the "must have" toys for young children last Christmas.
"That person would need hardly any technical know-how to "hack" your child's toy", the report warned.