Thousands of accounts for TeenSafe, which is a mobile app that parents can use to monitor what their kids are doing online, have been exposed in the latest Amazon Web Services cloud misconfiguration.
According to a
report from
ZDNet, which verified the data breach, there were at least two servers left open to the internet without a password, with information easily available in plaintext.
The leaky servers were discovered by security researcher
Robert Wiggins, who told
ZDNet that the information trove contained parental email addresses, Apple ID information including emails and passwords, the name of the teen’s device and the phone’s unique identifier. Fortunately, no location information, nor photos or message content was made public, but the info that was on offer is certainly enough to mount a phishing expedition or log into an account and hijack it.
“This breach is a perfect example of all information security and security development best practices being violated or not implemented whatsoever,” Rishi Bhargava, co-founder at Demisto, told Threatpost. “Clear-text passwords are evil and there is no reason to store any password in [a] database without encryption. There are so many open source libraries to do basic encryption that encrypting passwords is not additional work at all.”