A “secure” app that lets parents monitor their teens’ smartphone usage has publicly exposed thousands of Apple IDs and passwords to the web.
At least one server used by the app, TeenSafe, leaked data belonging to thousands of parent and child accounts. The server was left unprotected — without a password — on Amazon’s cloud. In other words, anyone could have accessed it, ZDNet first reported.
TeenSafe is an iOS and Android app that lets parents view their child’s current location, texts, call history, web browsing data and app usage.
The leaked data included parent email addresses, as well as the Apple ID emails-associated belonging to their children. The server also listed the teens’ Apple ID passwords in plaintext and their device names.
Worryingly, TeenSafe requires two-factor authentication for teen accounts to be disabled. Basically, that means that bad actors who accessed the leaked data could easily break into the Apple ID accounts belonging to those teens — that could allow them to access teens’ personal data, or even hijack and “ransom” their devices.
However, the server did not include location data or content like photos or messages.
The leaky server was first spotted by Robert Wiggins, a UK-based information security researcher. Wiggins actually discovered two unprotected TeenSafe servers, though the second appeared to contain only test data. ZDNet alerted the app developers, who have taken action by pulling the servers offline. TeenSafe added that they’ve begun alerting potentially impacted users.
Before the servers were pulled, they reportedly contained about 10,200 records with customer data from the previous three months. Some of that data was duplicated, however.
TeenSafe claims to have about a million parents using their app on iOS and Android. It’s not clear whether there are other publicly accessible servers that have yet to be discovered.
ZDNet independently confirmed that the leaked data was genuine, reaching out to the listed email addresses. At least some of the email addresses belonging to children appeared to be associated with high school accounts.
Child monitoring apps like TeenSafe have proven controversial in the past, due to the fact that they can be seen as an invasion of privacy. TeenSafe states on its website that it does not require parents to get their child’s consent to use the app.
The Los Angeles-based company said it is a “secure” service and encrypts or scrambles its users’ data in the event of a breach. It’s not clear, on the other hand, why these passwords were stored in plaintext.
TeenSafe said that it would continue to monitor the situation and provide additional information when it becomes available.
If you or someone you know uses TeenSafe, it’s advised that you change the password associated with your Apple ID as soon as possible. That’s especially imperative for teen accounts without two-factor authentication.
Read Next: Apple Dropped to No. 4 in Annual Fortune 500 Rankings