Data was stored on an unprotected server

May 21, 2018 08:58 GMT  ·  By

An iOS application that parents can use to monitor children activity on Apple devices has exposed Apple ID passwords in plaintext due to the data stored on an unprotected server.

A report from ZDNet reveals that TeenSafe, an app whose purpose is to offer, ironically, secure teen monitoring, including messages, location, call and web browsing activity, stored passwords in plaintext on a server hosted on Amazon Web Services.

While the company claims it has 1 million parents using its service, at least 10,200 records were said to be stored on the exposed server. The information that was available without a password included parents’ and teens’ email addresses, as well as the passwords for the latter.

What’s more concerning is that TeenSafe, despite handling so critical information, required parents to disable two-factor authentication for the Apple IDs that they wanted to monitor, in order to be able to access information without having to request access from the other device. This means that should hackers obtained access to the exposed Apple IDs, they were capable of logging in easily.

Server already secured

On the other hand, no personal data was stored on the servers, like photos, messages, or location data, though with an Apple ID, malicious actors would have been capable of obtaining further information about the compromised accounts.

A TeenSafe representative told the cited source that the company has already secured the unprotected server and it is now notifying affected accounts that further security measures, like changing passwords, could be required.

"We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted," a TeenSafe spokesperson was quoted as saying.

The company has obviously remained tightlipped on other details regarding the breach, but it’ll be interesting to find out how many accounts were exposed and whether data stored on other servers was unprotected as well.