The misconfigured database at uKnowKids.com, which exposed 1,700 kids, their personal messages, social media profiles, and images for at least 48 days, also held the company's secret sauce (sensitive IP), the CEO said in a statement, making the incident slightly worse than previously reported.
On Monday, Chris Vickery, Kromtech's security researcher, disclosed details on a misconfigured MongoDB installation at uKnowKids.com. The database was online for at least 48 days before Vickery discovered it, and once he reported the problem, the company fixed it a short time later.
The exposed database contained records on just over 1,700 children, including full names, email addresses, passwords, GPS coordinates, date of birth, 6.8 million private text messages, and 1.8 million images (many depicting the account holder's child, as well as other children). Facebook, Twitter, and Instagram account details were also exposed.
But a public notice, signed by Steve Woda, the CEO of uKnowKids.com, said that the exposed database also contained other sensitive information.
"What we do know right now is that the alleged data breach affected about 0.5% of the kids that uKnowKids has helped parents protect online and on the mobile phone.The database also included uKnow's proprietary natural language processing engine technology and data including our proprietary algorithms that power uKnow's technology," Woda's letter stated.
The company has identified two IP addresses that accessed the data so far, both of them associated with Vickery. However, the company took issue with Vickery's actions, and spent a good deal of time tearing into him in their public comments.
"The hacker claims to be a "white-hat" hacker which means he tries to obtain unauthorized access into private systems for the benefit of the 'public good'. Although we do not approve of his methods because it unnecessarily puts customer data and intellectual property at risk, we appreciate his proactive, quick notification as it was helpful to our team," Woda wrote.
Further down in the letter, the company named Vickery directly said they didn't have any additional background information on him, but they were doing their best to fully identify Vickery and "validate his stated 'benign' intentions."
The company also stated that Vickery downloaded their database, and deleted his copy after some resistance. Salted Hash reached out to him to confirm this claim.
"Oh yes, definitely. As is the right of any member of the public accessing information that is configured for public access and being offered to the public," Vickery said.
"However, after considering the potential worry to parents, I securely wiped it within 48 hours and notified uKnowKids of this fact. However, the few retained screenshots are completely redacted of all Personally Identifiable Information and are being kept for purposes of credibility and to keep uKnowKids (minimally) honest in their claims."
Woda's letter stated that the company continues to demand Vickery to delete the screenshots, stating that they are, in fact, "copies of uKnow's database."
"Mr. Vickery obviously did not and does not have authorization to explore, copy, or control this private child data (or uKnow's intellectual property), and we expect him to comply with our requests immediately," Woda wrote.
Salted Hash has seen screenshots of the database. The images confirm was available for ate least 48 days, as well as the IP address associated with the exposed database, and other account details.
One image is of a child taking a picture of herself, with three younger children clearly visible in the background. It isn't clear if the other children are siblings, or if they're children not associated with the account being monitored.
Woda said that FTC has been contacted in order to offer guidance and to report the breach, because the company does its best to comply with COPPA regulations.
COPPA requires businesses like uKnowKids.com to "...establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children."
Given what's happened during this incident, it's possible that uKnowKids.com could face regulatory actions, including fines.
Woda's letter also includes a list of things the company has done to strengthen security during the incident's aftermath, such as hiring two security firms to conduct Red Team attacks.
In addition, the company has made changes to security policy "so that there is zero ambiguity with respect to the daily, weekly and monthly security procedures that our organization will execute on to continue our best efforts to protect our customers' data and our corporate assets."
Existing customers have been notified, and Woda said that Norton Safe Shopping Guarantees would be provided for every new uKnowKids customer. It isn't clear what existing customers, or the 1,700 families impacted by the incident will get as compensation.