UK-based security researcher Robert Wiggins has found two exposed TeenSafe servers, leaking the passwords and information of some users of the monitoring service.
TeenSafe is meant to protect teenagers by letting their parents monitor their texts, phone calls, web history, location, and app downloads. The breach was first reported by ZDNet.
According to the report, TeenSafe left two of their servers, which were hosted on AWS, exposed and viewable by anyone. Moreover, the database included information such as the parent’s email address, child’s Apple ID email address, device name, device unique identifier, and plaintext passwords for the teenager’s Apple ID.
So… just about everything.
TeenSafe requires that teenagers abstain from using two-factor authentication so that parents can keep an eye on their activity, making those teenagers even more vulnerable to malicious actors now that their personal information has been exposed.
TeenSafe claims on its website that it encrypts data so that it wouldn’t be accessible in the case of the breach.
According to ZDNet, the server held at least 10,200 records from the past three months containing customer data. The publication also included that some of those records were duplicates and that one of the servers appeared to store test data.
That said, it’s unclear if there are other leaky servers with exposed data yet to be discovered.
TeenSafe says it has more than 1 million parents using the platform.
“We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted,” a TeenSafe spokesperson told ZDNet on Sunday.
We reached out directly to TeenSafe and will update the post if/when we hear back.