This definitely qualifies as something of a goof.
TeenSafe, an app designed to allow parents to monitor their children’s online activity, was noted as saving users’ Apple ID passwords in unprotected plaintext form.
The information collected by TeenSafe was hosted on Amazon servers, and also included device identifiers and the email addresses of parents, crediting the discovery to U.K. researcher Robert Wiggins. Those servers have been temporarily pulled offline, and a TeenSafe representative stated that the company has begun notifying anyone who might be impacted.
At least 10,200 records from the past three months contained customer data, though some were duplicates.
The TeenSafe app is marketed as a secure, encrypted way for parents to track call, Web, and location histories. The app can also read text messages, even deleted ones.
Unfortunately, this level of tracking required that two-factor authentication be turned off, which could create conditions in which a hacker who discovered the plaintext passwords could hijack a teen’s Apple ID and view private content.
It’s not known if any malicious attacks have been launched, but some of the affected customers had already changed their account data prior to being alerted.
Stay tuned for additional details as they become available.
Via AppleInsider, ZDNet and Robert Wiggins