An app designed for parents to keep an eye on their teenagers' smartphone use was storing plain text passwords on an unsecured AWS server.
A mobile app that allows parents to monitor their teenagers' smartphone habits has a secret of its own: It left over 10,000 plain text user records sitting on an unsecured Amazon cloud server.
The app in question is TeenSafe, which is designed to let parents track their teen's smartphone location, text messages, incoming and outgoing calls, web browsing history, app installations, and other information.
As reported exclusively by TechRepublic sister site ZDNet, TeenSafe's security snafu was discovered by UK-based security researcher Robert Wiggins, who found two of TeenSafe's servers sitting open and exposed with over 10,000 user records ripe for the picking.
ZDNet reached out to TeenSafe, which promptly pulled the affected servers, but there's no way of knowing if it was too little too late.
What was exposed
The records found on TeenSafe's unsecured servers contained the email address attached to the parental account and their children's AppleIDs (no word on how the leak affected Android users) and passwords (in plain text).
TeenSafe requires two-factor authentication to be turned off in order to function, which means the AppleIDs and passwords exposed online can be used to easily gain access to anything associated with a child's AppleID: photos, music, messages, etc.
SEE: IT leader's guide to big data security (Tech Pro Research)
ZDNet verified that the data on the servers was legitimate by reaching out to some of the people affected and receiving several affirmative responses.
A lesson for all businesses
If it seems like every time you turn around there's another big data breach in the headlines you're not alone in thinking so—it happens a lot.
Businesses that store user information online have a lot of lessons to learn from, and TeenSafe is just one more to add to the growing list of data breaches that could have easily been prevented.
TechRepublic has covered data breach prevention before. Here's a quick roundup of tips to help your business stay out of the crosshairs:
- Be proactive: Don't wait for a benevolent hacker to point out your weaknesses: Find them and fix them yourself.
- Log, alert, and follow up: Keep an eye out for suspicious behavior (like repeated failed logins) and automate the notification process for prompt response. Once you've resolved the issue track down what could have caused it—you may find a security weakness you were unaware of.
- Assign responsibilities: How does a cloud server get left unsecured? Someone should have been responsible for locking it up—be sure your business knows who that is, and make sure they keep track of their actions. Even better, make sure critical steps are validated by another person.
- Keep yourself patched: Third-party software can have vulnerabilities you didn't account for. Keep software up to date to protect yourself from bugs vendors are responsible to patch.
- Encrypt everything: If TeenSafe's exposed server was encrypted this would be a very different story. Never store sensitive data in plain text.
The big takeaways for tech leaders:
- A mobile app that helps parents monitor their children's smartphone behavior left over 10,000 user records exposed in plain text on an unprotected server.
- This is yet another case of an easily preventable data breach: Businesses should see this as a warning sign and take steps to protect their customers (and themselves) now.
- Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)
- Rail Europe had a three-month long credit card breach (ZDNet)
- 8 steps to take within 48 hours of a data breach (TechRepublic)
- Equifax has spent $242.7 million on its data breach so far (ZDNet)
- IT whistleblowers who expose company data breaches may soon be protected in EU (TechRepublic)