Teen-monitoring app TeenSafe leaks thousands of user IDs and passwords
Thousands of parental and child accounts on TeenSafe, a teen device-monitoring app, have had their information compromised, according to a report by ZDNet. At least one of the app’s servers, which are hosted by Amazon’s cloud service, was accessible by anyone without a password, giving them entry to highly personal data including Apple IDs. The data, including passwords and user IDs, were reportedly stored in plaintext, even though TeenSafe claims on its website it uses encryption to protect user data.
The TeenSafe app allows parents access to their children’s web browser history, text messages (including deleted SMS and iMessages and messages on WhatsApp and Kik), call logs, device location, and lets them observe which third-party apps have been installed.
ZDNet notes that UK security researcher Robert Wiggins found two servers had been undermined, though one only appears to host test data. “We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted,” a TeenSafe spokesperson told ZDNet.
Around 10,200 accounts from the past three months were compromised, though that number also includes duplicates. The compromised data did not include photos, messages, or location data. The server stores parents’ email address used for their TeenSafe account and their child’s email address, the child’s device name and the device’s identifier. TeenSafe requires two-factor authentication to be switched off for the app to work, so anyone with just a password can easily gain access to compromised accounts. The app is available on both iOS and Android and doesn’t require parents to seek their child’s consent for access to their phone.
This breach is the latest in a long line of recent security lapses. Over the past few months, data breaches have hit companies including Under Armour, Facebook (again), Delta and Sears, and Orbitz. While this TeenSafe data compromise might affect only a slither of web users, it’s a timely reminder to remain vigilant when it comes to your online security.