ZDNet reports that a server used by an app for parents to monitor their teenagers’ phone activity has leaked tens of thousands of login credentials, including the Apple IDs of children.
The leaked data belonged to customers of TeenSafe, a “secure” monitoring app for iOS and Android that allows parents to view their child’s text messages and location, call history, web browsing history, and installed apps.
The customer database was reportedly stored on two servers hosted by Amazon Web Services, where it remained unprotected and accessible without a password. The discovery was made by a U.K.-based security researcher specializing in public and exposed data, and the servers were only taken offline after ZDNet alerted the California-based company responsible for the TeenSafe app.
“We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted,” said a TeenSafe spokesperson told ZDNet on Sunday.
The information in the exposed database included the email addresses of parents who used TeenSafe, the Apple ID email addresses of their children, and children’s device name and unique identifier. Plaintext passwords for the children’s Apple ID were also among the data set, despite claims on the company’s website that it uses encryption to protect customer data.
Compounding the lax security is the app’s requirement that two-factor authentication is turned off for the child’s Apple account so that parents can monitor the phone without consent. This means a malicious actor could potentially access a child’s account using the login credentials that were stored on the exposed server.
TeenSafe counts over a million parents as customers, although the database was reportedly limited to 10,200 records gleaned from the past three months of customer usage. The company said it would continue to assess the situation and provide additional information to customers as soon as it became available.