The mobile app, TeenSafe, bills itself as a "secure" monitoring app for iOS and Android, which lets parents view their child's text messages and location, monitor who they're calling and when, access their web browsing history, and find out which apps they have installed.
Although teen monitoring apps are controversial and privacy-invasive, the company says it doesn't require parents to obtain the consent of their children.
But the Los Angeles, Calif.-based company left its servers, hosted on Amazon's cloud, unprotected and accessible by anyone without a password.
Robert Wiggins, a UK-based security researcher who searches for public and exposed data, found two leaky servers.
Both of the servers was pulled offline after ZDNet alerted the company, including another that contains what appears to be only test data.
"We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted," said a TeenSafe spokesperson told ZDNet on Sunday.
The database stores the parent's email address associated with TeenSafe, as well as their corresponding child's Apple ID email address. It also includes the child's device name -- which is often just their name -- and their device's unique identifier. The data contains the plaintext passwords for the child's Apple ID. Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data.
None of the records contained content data, such as photos or messages, or the locations of either parents or children.
The data also contained error messages associated with a failed account action, such as if a parent looking up a child's real-time location didn't complete.
Shortly before the server went offline, there were at least 10,200 records from the past three months containing customers data -- but some are duplicates.
One of the servers appeared to store test data, but it's not known if there are other exposed servers with additional data.
TeenSafe claims to have over a million parents using the service.
We began verifying some of the data by reaching out to those whose email addresses were named in the leaking data.
We contacted a dozen people over iMessage, one by one, to confirm their passwords (you can learn more about how we verify data breaches here). Not everyone responded. But several people -- parents of children who use the app -- confirmed their email addresses and passwords, or that it had been recently changed within the past month or so.
The parents also confirmed their child's email address, used as their Apple ID.
While we did not contact children for fear of causing alarm, some of the email addresses were associated with their high schools.
It's not clear why the data, let alone passwords for teens' Apple IDs, was stored in plaintext.
The company claims on its website that it's "secure" and uses encryption to scramble the data, such as in the event of a data breach.
TeenSafe said it was continuing to assess the situation and "will provide additional information" as it becomes available.