TeenSafe advertises itself as a service allowing parents to monitor what their children are doing on smartphones in order to keep them safe. It does this through the use of an iOS or Android app, which allows parents to view the texts, call logs, web history, and location of a phone. The problem is, TeenSafe didn’t secure its servers or the data it stored properly.
As ZDNet reports, in order for TeenSafe to work it requires two-factor authentication be turned off on a device, and in the case of an iPhone, for the parent to know a child’s Apple ID and password. TeenSafe stores these details for each account on servers hosted by Amazon Web Services and did so without encrypting the data. Two of those servers were not protected properly, which meant anyone could access the information.
As you’ve probably guessed, the inevitable happened. TeenSafe has been forced to take the servers offline and alert customers whose details were exposed that they may be at risk. It’s unclear exactly how many accounts were exposed, but one of the servers contained 10,200 records from the past three months. Some of those were duplicates, but it’s safe to assume thousands of customers need to be contacted.
What leaked includes parent TeenSafe and child Apple ID email addresses, device unique identifiers, and the password associated with each Apple account. ZDNet verified with several parents over iMessage that the leaked data was correct. To be clear, most of the leaked data allows acces to the devices of children because that’s what was stored to allow parents to gain access to the devices through TeenSafe.
If you use TeenSafe (more than a million parents do according to its website), then I’d suggest not waiting to find out if your data was accessed. Get your kids to change their passwords and turn on two-factor authentication. You’ll lose the ability to use TeenSafe, but this is a service running unsecured servers and storing your children’s account information in plaintext. Why would you want to keep using it?
This article was originally published at PC Mag.