TeenSafe, a company that offers phone monitoring services to parents, reportedly compromised the Apple IDs and passwords of tens of thousands of people. The data was accessible to anyone who found the Amazon Web Services (AWS) servers on which it was stored--no password required.
Parents use TeenSafe to keep an eye on their child's location, view their browsing history, access call logs, and read messages. None of this data appears to have been exposed by the improperly configured AWS server--TeenSafe instead exposed Apple IDs and passwords. Because monitored teens can't set up two-factor authentication, however, that means anyone could have accessed any information connected to their iCloud account.
TeenSafe also unwittingly exposed parents' email addresses, device names, and each device's unique identifiers. All of this information was stored in plain text on the affected server. Combine that with the lack of password protection and you end up with more than 10,000 people whose data could have been accessed by anyone who scanned AWS servers in search of unprotected information, which is exactly what happened here.
The improperly configured servers were discovered by UK security researcher Robert Wiggins and first reported by ZDNet. Of the affected servers, only one contained the Apple IDs and passwords, while the other appeared to contain test data. ZDNet said TeenSafe took both servers offline after it was contacted about the issue, and a spokesperson said the company has started to notify users who may have been affected by the data leak.
TeenSafe's customers--and the children they're monitoring--are lucky their Apple IDs were the only thing compromised. Tools like TeenSafe are used to gather as much private information as possible, and exposing the collected messages, call logs, browsing history, and other data could've been catastrophic. Revealing the monitored phone's location data could also have put unsuspecting teens at risk of physical violence.
None of that information appears to have been compromised by this leak. Still, problems like this highlight the dangers of using what amount to private surveillance tools on children. One could argue that parents shouldn't even have access to this information, especially if their children are in the late teens, and we suspect few would argue that putting someone's security at risk so you could undermine their privacy is a good trade-off.