ZDNet reports that TeenSafe, an app that helps parents monitor their teenager's phone usage and boasts over a million users, had an online database server that leaked over 10,000 customer records in plain text. These records contain the parent's email address and unique device ID, but also hold the child's device name and ID as well as their Apple ID and its password. To top off this bad news, using the app required two-factor authentication be turned off so everything a malicious person needs to break into a child's Apple account is readily available.
A TeenSafe spokesperson told ZDNet they have started to alert affected parties:
We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted.
Robert Wiggins, a UK-based security researcher who scours the web looking for public and exposed user data found two TeenSafe servers he was able to access. The 10,200 record leak does contain some duplicate entries, but there are still thousands of Apple accounts exposed. None of the entries contain user-generated content such as photos or messages nor do they give any location data. They look to be error messages logged with the user credentials as their identifier in the database.
ZDNet used the parent's information to reach out and verify the expanse and severity of this data leak, though none of the children were contacted. The affected servers are no longer online though sample data is available at ZDNet.
If you use TeenSafe to monitor your child's activity you should contact the company through their website.