The app, called TeenSafe, allows parents to monitor their children’s mobile phone usage, including the ability to read their texts, see their location, and view their call and website history. The app bills itself as a secure monitoring app, but as ZDNet reports, the company was inadvertently leaking the user details from two servers that could be accessed by anyone without a password. The leaked user data was discovered by a U.K. security researcher and includes Apple IDs and their associated passwords in plain text–for both parents and their children.
It’s unknown if anyone accessed the user data before the vulnerability was reported to TeenSafe and the leak appears to not have provided access to messages or call logs, or photos or location history. Still, bad actors could do a lot of damage with just someone’s Apple ID and password. Shortly before TeenSafe took the servers offline, they contained 10,200 records of customer data from the past three months, though some of those records are known to be duplicates. TeenSafe says it has over a million parents using its service.