Users of parental monitoring app TeenSafe for either Android or iOS will want to know that the company may have inadvertently compromised their children’s’ email addresses and passwords. Although the app is marketed as a secure solution for keeping tabs on teens, the company seems to have left some credentials exposed on an unsecured Amazon server, meaning that anybody who had access to the site before its subsequent removal may be able to log in and gain access to a wealth of private information. The app tracks everything from text messaging, phone calls, browsing history, app installations, and location data. Worse, the credentials were actually stored as plaintext. So any would-be attackers wouldn’t need to put in any additional effort to get into accounts.
As of this writing, it hasn’t been reported how many accounts may have been compromised. There were a total of three unsecured servers spotted by U.K. Security Researcher Robert Wiggins, including more than 10,200 records. Some of those were duplicate accounts and one of the servers appears to have been an internal test server. None of the data contained on the servers included photos, messages, or location data for either children or parents. But the records did contain unique device identifiers, in addition to emails and passwords. It is also not known if there might have been other servers involved which simply weren’t discovered by the security researcher. Bearing that in mind, the company is likely performing an internal audit of its systems to ensure that all compromised servers are taken down or secured. So parents and children who use the app should keep an eye out for an email from the company regarding whether or not they have been affected.
In the meantime, it would be advisable for users to change their passwords for any accounts associated with TeenSafe. Furthermore, the passwords of any other accounts which share the same or similar passwords with TeenSafe should also be changed. While it isn’t known whether the data was stolen by any bad actors, it’s not uncommon for stolen credentials to be used in attempts to log into unrelated accounts or apps tied to a given email, depending on how careful their original owners are, and most security experts agree the average user isn’t particularly security conscious.