The controversial mobile app, TeenSafe, that allows parents to spy on their teens phone has suffered a data leak.
Once again, we see yet another data leak. This time, it comes from an app that is used by parents to eavesdrop on their child’s cell phone usage. The app itself allows parents to track their teenagers web browsing history, who they call, their exact location, and text messaging. That alone already makes the app controversial thanks to its privacy implications. What’s more, it does not require the child’s consent either.
Still, the developers say that their app is safe and secure. This in spite of the requirement to disable two factor authentication to operate. Now, that security is being called into question.
Reports are surfacing that a server containing user names, phone ID’s, and passwords were stored in plain text on an unsecured server. While the app boasts a million users, only a couple thousand accounts were discovered. So, who knows whose information was compromised. The database was found by a security researcher. When the developer was notified of the security incident, the server was pulled offline.
Shortly before the server went offline, there were at least 10,200 records from the past three months containing customers data — but some are duplicates.
One of the servers appeared to store test data, but it’s not known if there are other exposed servers with additional data.
We contacted a dozen people over iMessage, one by one, to confirm their passwords (you can learn more about how we verify data breaches here). Not everyone responded. But several people — parents of children who use the app — confirmed their email addresses and passwords, or that it had been recently changed within the past month or so.
The parents also confirmed their child’s email address, used as their Apple ID.
While we did not contact children for fear of causing alarm, some of the email addresses were associated with their high schools.
It’s not clear why the data, let alone passwords for teens’ Apple IDs, was stored in plaintext.
The company claims on its website that it’s “secure” and uses encryption to scramble the data, such as in the event of a data breach.
This latest incident is certainly showing a disturbing trend for personal information. A lot of data leaks we’ve been reporting on seem to happen when companies just leave their databases on public unsecured servers such as an Amazon Bucket cloud server. What’s worse is that this developer is boasting about security and encryption on top of it all. Clearly, there wasn’t encryption to protect this particular bit of data. It wouldn’t be unreasonable for someone to ask, “What were they thinking?”
What’s more, this latest security incident is just the latest in a recent string of security incidences this month. May started off late, but with a bang when 34.5 million Aadhaar accounts were exposed in a data breach. Chili’s also suffered a data breach of their own, though it is unclear how many credit cards were compromised. After that, the University of Cambridge suffered a data leak where 3 million Facebook accounts were affected. right after that, LocationSmart suffered its own data leak, exposing the real time geolocation data of potentially any American on any major ISP. Right after that, the LA County 211 Crises and Abuse hotline suffered a data leak, exposing 3.2 million sensitive records.
If anything, this is proving to be a very busy month on the security front. That is almost never good news, really.
(Hat Tip: BoingBoing)