According to a new report from ZDNet, a popular app used by parents to monitor their teens has suffered a data breach. The app, TeenSafe, touts that it’s a “secure” monitor app for iOS that allows parents to monitor text messages, location, calling history, web history, and more.
Included in the data breach, the report says, was a list of plaintext Apple ID passwords…
Ecobee HomeKit Thermostat
According to the report, TeenSafe left its servers – which are hosted on Amazon’s Web Services platform, unprotected. Thus, anyone could access the information without a password. After ZDNet notified the company of the glaring security lapse, it pulled the servers offline.
“We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted,” said a TeenSafe spokesperson told ZDNet on Sunday.
Included in the TeenSafe servers was a list of the parent’s email addresses, as well as their child’s Apple ID email address. Furthermore, it included their device’s unique device identifier, and most importantly, plaintext passwords for the child’s Apple ID.
Making matters even more shocking, TeenSafe requires that the child’s Apple ID account have two-factor authentication turned off. This is so the parent can monitor their child’s activity without having to gain direct consent.
None of the accessible records included location data, photos, or messages. The company claims to have over 1 million parents using the service, though the servers housed “at least 10,200 records from the past three months.”
Shortly before the server went offline, there were at least 10,200 records from the past three months containing customers data — but some are duplicates. One of the servers appeared to store test data, but it’s not known if there are other exposed servers with additional data.
Questions have been raised about TeenSafe’s legitimacy in the past, primarily due to the sheer amount of data the app collects. Furthermore, teen monitoring apps such as TeenSafe have been labeled as intrusive and an invasion of the child’s privacy.
At this point, TeenSafe hasn’t expanded too much on the breadth of the breach, though says it has started informing affected users.