An app meant to let parents monitor the phone activity of teenagers was until recently saving the latter’s Apple ID passwords in unprotected plaintext form, a report revealed on Sunday.
The information collected by TeenSafe was hosted on Amazon servers, and also included device identifiers and the email addresses of parents, ZDNet said, crediting the discovery to U.K. researcher Robert Wiggins. Those servers have been temporarily pulled offline, and a TeenSafe representative stated that the company has begun notifying anyone who might be impacted.
At least 10,200 records from the past three months contained customer data, though some were duplicates.
TeenSafe markets itself as a secure, encrypted way for parents to track call, Web, and location histories, as well as read text messages, even deleted ones.
Using the app to track a teen’s iPhone requires that they have two-factor authentication turned off, though, which means that any hacker who discovered the plaintext passwords could hijack a teen’s Apple ID and view private content.
It’s not known if any malicious attacks have been launched, but some of the affected customers had already changed their account data prior to being alerted.