A misconfigured database from a child tracking & monitoring firm exposed over 6.8 million private child text messages, 1.8 million images (many depicting children), and over 1700 in-depth child profiles.
uKnowKids monitoring software advertises that it “Makes Parenting Easier, and Keeps Kids Safe Online and on the Mobile Phone.” On its web site, it claims that it has helped parents protect more than 260,000 kids in more than 50 countries around the world.
As part of deploying uKnowKids, parents are required to set up a profile for each child that starts with their name and date of birth. But that’s just the beginning.
We also ask you to optionally provide the following information: mobile phone number, email address, school names and city and various online profile screen names and log-in credentials. This information is used to collect online and mobile device activity information from your Linked Accounts and information about the contacts communicating with your Linked Accounts.
Once a parent has created a child profile, the software, which can be installed on any mobile device the child uses, collects information about the mobile phone activities, contacts and location. The information on your child collected includes:
- the online profile/screen names, mobile telephone numbers and email addresses associated with the Linked Accounts and the people communicating with the Linked Accounts and devices and in certain situations, the text of the online or mobile phone SMS or MMS conversations themselves;
- the geographic location and time and date associated with a specific geographic location of your Linked Account mobile device;
- your Linked Accounts’ social networking activity and contacts;
- photographs sent, received or uploaded by your Linked Account;
- the websites visited from your Linked Account mobile device; and
- the applications installed on your Linked Account mobile device.
Their pricing plan provides more details on the platforms they monitor and types of information they collect.
Obviously, with so much personal and possibly sensitive information, information security should be a concern to parents. and uKnowKids describes its security thusly:
This site has security measures in place to protect your personal identifying information from unauthorized access, use, or disclosure. Because of the personal nature of the information that may be collected and maintained on this site, all personal and financial information is transmitted over a 128-bit Secure Socket Layer (SSL) encrypted connection. uKnow.com has taken security measures consistent with international data protection practices so that the collected information receives an adequate level of protection.
All of that sounds good except they didn’t live up to that assurance, as there was no login credentials required to access a database with tons of personal information on children.
Chris Vickery, who now blogs about security over on MacKeeper, alerted this site that a misconfigured MongoDB installation exposed over 6.8 million private child text messages, 1.8 million images (many depicting children, according to Chris), and over 1700 in-depth child profiles.
The data reportedly included full names, email addresses, GPS coordinates, dates of birth, and much more, although Chris tells DataBreaches.net that he did not see payment info or parent details exposed. This screenshot, provided by Chris, indicates that there were data on 1,740 children:
Upon discovery, Chris responsibly attempted to notify uKnowKids. Notification was made late last week and the database was reportedly secured shortly thereafter.
Chris’s conversation with the firm’s CEO, Steve Woda, was not a particularly positive one, Chris claims, in somewhat stark contrast to the appreciative email Chris had received from him the previous day. He informs this site that Woda went so far as to suggest that anyone reporting on the breach might have liability under COPPA.
Well, there may be liability under COPPA, but it will not be Vickery or this site that incurs any liability. uKnowKids may wish to review their cyberinsurance policy in case the FTC comes knocking on their door.
As of today, there is no notice or press release on uKnowKids’ site about the incident, so it’s possible that parents using the service are not yet aware of what happened or that their child’s personal info was exposed. DataBreaches.net emailed a set of questions to uKnowKids, asking them:
- For how long the database was exposed/unsecured/available,
- Whether there been any access log analysis to indicate how many IP addresses outside of uKnowKids may have accessed and/or downloaded data,
- What uKnowKids doing in response to this incident to notify parents of the situation,
- What uKnowKids is doing to prevent a recurrence of this type of incident, and
- Who was responsible for securing the database? Was it under UKnowKids control or was it a vendor?
DataBreaches.net will update this post if and when a response is received.
Update1: This site has not received a response as of this morning (Feb. 23), but in the interim, Steve Woda posted a statement on their web site: Breaking news… A uKnow database was breached by a hacker, and here are the facts as we know them right now.
Their statement neither confirms nor refutes any numbers reported by Vickery to this site and other media outlets, but Woda states they have notified customers, reached out to the FTC to report the incident and to get guidance, and they have brought in experts to investigate and assist them in further securing data. Of note, Woda states:
The vulnerable database included proprietary intellectual property including customer data, business data, trade secrets, and proprietary algorithms developed to power some of uKnow’s most important technology.
With respect to customer data, no financial information or unencrypted password credentials were vulnerable. However, names, communications, and URL data was exposed for about 0.5% of the kids that uKnowKids has helped parents protect online and on the mobile phone.
uKnow’s technology team patched the database vulnerability within 90 minutes of discovery.
That statement is consistent with what Vickery had reported to DataBreaches.net.
Woda also reports that in addition to two IP addresses associated with Vickery, two other IP addresses also “discovered” the vulnerable database, but those, Woda says, are from “credible organizations and neither of the IP addresses explored the database in question.”
There was no statement as to for how long the database was vulnerable, but Woda indicates that there will be further updates as more information becomes available.
In a tweet to this blogger and others, Woda denies attempting to intimidate Vickery from reporting on the incident: “I asked Mr. Vickery to destroy the DB he downloaded. He said “no”. I said that was not ok.”
Having reported on other incidents discovered by Vickery, I am not surprised Vickery would decline to delete whatever he may have downloaded, as he retains proof of his claims until an incident is acknowledged and then he does destroy the data. I would expect he’s following those same procedures here.