Phone application TeenSafe allegedly leaked thousands of passwords that were kept on a vulnerable Amazon server, found Robert Wiggins, a security researcher based in the UK.
The application was created for parents to keep track of their children’s online activity such as messages on various social media sites, internet searches, call history and applications downloaded to their phone. It is available for both Android and iOS devices.
It all started with a security vulnerability on one of the data servers the company has hosted on Amazon’s cloud services. Because device names, Apple ID emails and plaintext passwords were kept unencrypted, not even secured with a password, over 10,000 accounts of parents and their children were exposed. For some reason, in order to use the application, two-factor authentication had to be disabled, making it even easier for anyone on the web to access the data.
“We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted,” a company spokesperson told ZDNet.
TeenSafe collects a large amount of data from its users, so the recent data breach and invasion of privacy are raising questions about the company’s overall strategy to ensure user online safety. In-app content such as photos, GPS data or messages were not kept on company servers so this data was not affected.
The company claims to have over 1 million users in the US.