As high profile data breaches and privacy scandals, like the recent Facebook/Cambridge Analytica scandal, make headlines, more and more businesses and consumers are becoming increasingly aware of cyber security and data protection.
The latest company to suffer a data leak is TeenSafe, a Los Angeles-based company whose app allows parents to track their child’s location and monitor their phone use, such as text messages, call log, web browsing history, and the apps they download.
The company claims that its app, which is available to download for iPhones and Android devices, uses “secure” tracking software which parents can download onto their child’s phone.
However, TeenSafe has apparently leaked data through an unprotected Amazon cloud server. More than 10,000 users are thought to be affected. The data included Apple and Android IDs, usernames, plain text passwords, email addresses, device names, and other unique identifiers.
According to Trusted Reviews, the breach is particularly alarming because the app requires two-factor authentication so anyone who accessed the data could easily break into the Apple ID account.
The security breach was discovered by UK-based security researcher, Robert Wiggins, who searches for public and exposed data. As BBC News reports, he has previously uncovered thousands of similarly misconfigured machines on Amazon Web Services (AWS).
In this case, he found two unprotected Amazon-hosted computer servers being used by TeenSafe, The Week explained. This included the data-exposing server and another poorly protected server that appeared to contain “only test data”.
The TeenSafe leak is particularly concerning because the data has been stored in plain text form, meaning it has not been protected by any form of encryption.
No doubt, this will be alarming to parents who will have downloaded the app in an attempt to help protect their children online.
After being informed of the leak, TeenSafe took both servers offline.
Speaking to the BBC, Wiggins explained that the company had failed to implement basic security measures to protect the data, such as setting up a firewall. He also noted that the scan across AWS which uncovered the TeenSafe server also revealed other machines run by other companies that had made the same mistakes.
A spokesperson for TeenSafe told ZDNet: “We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted.”
According to the company, more than one million parents use its service.