uKnowKids.com database error exposed sensitive information on 1,700 kids

uKnowKids.com is a company in Arlington, Virginia that helps parents monitor their child’s activities online, by watching their mobile communications, social media activities, and their location.

On Monday, it was disclosed that the child monitoring service had a misconfigured MongoDB installation, which left sensitive details about the children who were enrolled exposed for months. The database exposing the children’s records was discovered by researcher Chris Vickery [*].

According to uKnowKids.com, the service works on iOS and Android and “gathers and analyzes social and mobile data from 21 different data sources in order to help make your life as a digital parent easier and simpler.”

The exposed database contained sensitive records on just over 1,700 children, including full names, email addresses, GPS coordinates, date of birth, 6.8 million private text messages, and 1.8 million images (many depicting children). Facebook, Twitter, and Instagram account details were also exposed.

Vickery, who works with Kromtech (the company behind MacKeeper) said that all indications point to the database being exposed for 48 days before he discovered it.

Once discovered, he reported the problem to uKnowKids.com, and the issue was resolved within an hour.

“We believe that protecting a child’s digital identity is just as important as protecting a child’s Social Security Number or other sensitive information. The potential for abuse or safety risks involved with the unsecured data collection of children is a nightmare that no parent ever wants to be faced with,” Vickery wrote in an email to Salted Hash.

“As the use of ‘Child Tracking’ software applications and services continues to grow in popularity, this is big a wake up call to the entire industry to secure, encrypt, and protect the information they collect on children.”

In his email, Vickery said that the CEO of uKnowKids, Steve Woda, attempted to use intimidation tactics during a phone conversation, insisting that Vickery acted inappropriately by discovering the public database and reporting it.

The change in tone was surprising, considering that Woda was friendly during email exchanges before the call took place.

Further, Woda told Vickery that his company is bound by the Children’s Online Privacy Protection Act or COPPA.

According to the FTC any operators of a website or online service with knowledge that they’re collecting, using, or disclosing personal information from children under 13 must “…establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.”

Based on the FTC outline, all of the information in the database that Vickery discovered is covered by COPPA.

Salted Hash has reached out to uKnowKids.com for comment. This story will be updated once they respond.

“The lesson to learn here is that, if you’re a parent, be wary of services that offer to monitor your child’s online behavior. These services collect unnerving amounts of data on your child and, when a breach occurs, all of that data can be exposed to untold numbers of people,” Vickery said.

[*] Vickery has worked with Salted Hash on a number of stories. Such stories include database leaks that exposed class records at SNHU, 3.3 million Hello Kitty fans, a vulnerable jobs portal used by Microsoft, 191 million voter records, and an additional 18 million voter records with targeted data.